This is a note to let you know that I've just added the patch titled
mei: hbm: fix client dma reply status
to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-testing branch.
The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.)
The patch will be merged to the char-misc-next branch sometime soon, after it passes testing, and the merge window is open.
If you have any questions about this process, please let me know.
From 6b0b80ac103b2a40c72a47c301745fd1f4ef4697 Mon Sep 17 00:00:00 2001 From: Alexander Usyskin alexander.usyskin@intel.com Date: Tue, 28 Dec 2021 10:20:47 +0200 Subject: mei: hbm: fix client dma reply status
Don't blindly copy status value received from the firmware into internal client status field, It may be positive and ERR_PTR(ret) will translate it into an invalid address and the caller will crash.
Put the error code into the client status on failure.
Fixes: 369aea845951 ("mei: implement client dma setup.") Cc: stable@vger.kernel.org # v5.11+ Reported-by: Emmanuel Grumbach emmanuel.grumbach@intel.com Tested-by: : Emmanuel Grumbach emmanuel.grumbach@intel.com Acked-by: Tomas Winkler tomas.winkler@intel.com Signed-off-by: Alexander Usyskin alexander.usyskin@intel.com Signed-off-by: Tomas Winkler tomas.winkler@intel.com Link: https://lore.kernel.org/r/20211228082047.378115-1-tomas.winkler@intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/misc/mei/hbm.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/drivers/misc/mei/hbm.c b/drivers/misc/mei/hbm.c index be41843df75b..cebcca6d6d3e 100644 --- a/drivers/misc/mei/hbm.c +++ b/drivers/misc/mei/hbm.c @@ -672,10 +672,14 @@ static void mei_hbm_cl_dma_map_res(struct mei_device *dev, if (!cl) return;
- dev_dbg(dev->dev, "cl dma map result = %d\n", res->status); - cl->status = res->status; - if (!cl->status) + if (res->status) { + dev_err(dev->dev, "cl dma map failed %d\n", res->status); + cl->status = -EFAULT; + } else { + dev_dbg(dev->dev, "cl dma map succeeded\n"); cl->dma_mapped = 1; + cl->status = 0; + } wake_up(&cl->wait); }
@@ -698,10 +702,14 @@ static void mei_hbm_cl_dma_unmap_res(struct mei_device *dev, if (!cl) return;
- dev_dbg(dev->dev, "cl dma unmap result = %d\n", res->status); - cl->status = res->status; - if (!cl->status) + if (res->status) { + dev_err(dev->dev, "cl dma unmap failed %d\n", res->status); + cl->status = -EFAULT; + } else { + dev_dbg(dev->dev, "cl dma unmap succeeded\n"); cl->dma_mapped = 0; + cl->status = 0; + } wake_up(&cl->wait); }