mei: fix device reset on mei_cl_irq_read_msg allocation failure

On memory allocation failure mei_cl_irq_read_msg will
return with error that will cause device reset.
Instead we should propagate error to caller and
just clean the read queues.

Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/misc/mei/bus.c

@@ -322,10 +322,16 @@ ssize_t __mei_cl_recv(struct mei_cl *cl, u8 *buf, size_t length)
 		goto out;
 	}
 
+	if (cb->status) {
+		rets = cb->status;
+		goto free;
+	}
+
 	r_length = min_t(size_t, length, cb->buf_idx);
 	memcpy(buf, cb->response_buffer.data, r_length);
 	rets = r_length;
 
+free:
 	mei_io_cb_free(cb);
 	cl->reading_state = MEI_IDLE;
 	cl->read_cb = NULL;

drivers/misc/mei/interrupt.c

@@ -69,85 +69,91 @@ static inline int mei_cl_hbm_equal(struct mei_cl *cl,
 		cl->me_client_id == mei_hdr->me_addr;
 }
 /**
- * mei_cl_is_reading - checks if the client
+ * mei_cl_is_reading - checks if the client is in reading state
- *		is the one to read this message
  *
  * @cl: mei client
- * @mei_hdr: header of mei message
  *
- * Return: true on match and false otherwise
+ * Return: true if the client is reading
  */
-static bool mei_cl_is_reading(struct mei_cl *cl, struct mei_msg_hdr *mei_hdr)
+static bool mei_cl_is_reading(struct mei_cl *cl)
 {
-	return mei_cl_hbm_equal(cl, mei_hdr) &&
+	return cl->state == MEI_FILE_CONNECTED &&
-		cl->state == MEI_FILE_CONNECTED &&
 		cl->reading_state != MEI_READ_COMPLETE;
 }
 
 /**
  * mei_cl_irq_read_msg - process client message
  *
- * @dev: the device structure
+ * @cl: reading client
  * @mei_hdr: header of mei client message
- * @complete_list: An instance of our list structure
+ * @complete_list: completion list
  *
- * Return: 0 on success, <0 on failure.
+ * Return: always 0
  */
-static int mei_cl_irq_read_msg(struct mei_device *dev,
+static int mei_cl_irq_read_msg(struct mei_cl *cl,
 			       struct mei_msg_hdr *mei_hdr,
 			       struct mei_cl_cb *complete_list)
 {
-	struct mei_cl *cl;
+	struct mei_device *dev = cl->dev;
-	struct mei_cl_cb *cb, *next;
+	struct mei_cl_cb *cb;
 	unsigned char *buffer = NULL;
 
-	list_for_each_entry_safe(cb, next, &dev->read_list.list, list) {
+	list_for_each_entry(cb, &dev->read_list.list, list) {
-		cl = cb->cl;
+		if (cl == cb->cl)
-		if (!mei_cl_is_reading(cl, mei_hdr))
+			break;
-			continue;
-
-		cl->reading_state = MEI_READING;
-
-		if (cb->response_buffer.size == 0 ||
-		    cb->response_buffer.data == NULL) {
-			cl_err(dev, cl, "response buffer is not allocated.\n");
-			list_del(&cb->list);
-			return -ENOMEM;
-		}
-
-		if (cb->response_buffer.size < mei_hdr->length + cb->buf_idx) {
-			cl_dbg(dev, cl, "message overflow. size %d len %d idx %ld\n",
-				cb->response_buffer.size,
-				mei_hdr->length, cb->buf_idx);
-			buffer = krealloc(cb->response_buffer.data,
-					  mei_hdr->length + cb->buf_idx,
-					  GFP_KERNEL);
-
-			if (!buffer) {
-				list_del(&cb->list);
-				return -ENOMEM;
-			}
-			cb->response_buffer.data = buffer;
-			cb->response_buffer.size =
-				mei_hdr->length + cb->buf_idx;
-		}
-
-		buffer = cb->response_buffer.data + cb->buf_idx;
-		mei_read_slots(dev, buffer, mei_hdr->length);
-
-		cb->buf_idx += mei_hdr->length;
-		if (mei_hdr->msg_complete) {
-			cl->status = 0;
-			list_del(&cb->list);
-			cl_dbg(dev, cl, "completed read length = %lu\n",
-				cb->buf_idx);
-			list_add_tail(&cb->list, &complete_list->list);
-		}
-		break;
 	}
 
-	dev_dbg(dev->dev, "message read\n");
+	if (&cb->list == &dev->read_list.list) {
+		dev_err(dev->dev, "no reader found\n");
+		goto out;
+	}
+
+	if (!mei_cl_is_reading(cl)) {
+		cl_err(dev, cl, "cl is not reading state=%d reading state=%d\n",
+			cl->state, cl->reading_state);
+		goto out;
+	}
+
+	cl->reading_state = MEI_READING;
+
+	if (cb->response_buffer.size == 0 ||
+	    cb->response_buffer.data == NULL) {
+		cl_err(dev, cl, "response buffer is not allocated.\n");
+		list_move_tail(&cb->list, &complete_list->list);
+		cb->status = -ENOMEM;
+		goto out;
+	}
+
+	if (cb->response_buffer.size < mei_hdr->length + cb->buf_idx) {
+		cl_dbg(dev, cl, "message overflow. size %d len %d idx %ld\n",
+			cb->response_buffer.size, mei_hdr->length, cb->buf_idx);
+		buffer = krealloc(cb->response_buffer.data,
+				  mei_hdr->length + cb->buf_idx,
+				  GFP_KERNEL);
+
+		if (!buffer) {
+			cb->status = -ENOMEM;
+			list_move_tail(&cb->list, &complete_list->list);
+			goto out;
+		}
+		cb->response_buffer.data = buffer;
+		cb->response_buffer.size = mei_hdr->length + cb->buf_idx;
+	}
+
+	buffer = cb->response_buffer.data + cb->buf_idx;
+	mei_read_slots(dev, buffer, mei_hdr->length);
+
+	cb->buf_idx += mei_hdr->length;
+	if (mei_hdr->msg_complete) {
+		cl_dbg(dev, cl, "completed read length = %lu\n",
+			cb->buf_idx);
+		list_move_tail(&cb->list, &complete_list->list);
+	}
+
+out:
 	if (!buffer) {
+		/* assume that mei_hdr->length <= MEI_RD_MSG_BUF_SIZE */
+		BUG_ON(mei_hdr->length > MEI_RD_MSG_BUF_SIZE);
 		mei_read_slots(dev, dev->rd_msg_buf, mei_hdr->length);
 		dev_dbg(dev->dev, "discarding message " MEI_HDR_FMT "\n",
 				MEI_HDR_PRM(mei_hdr));
@@ -389,14 +395,10 @@ int mei_irq_read_handler(struct mei_device *dev,
 			goto end;
 		}
 	} else {
-		ret = mei_cl_irq_read_msg(dev, mei_hdr, cmpl_list);
+		ret = mei_cl_irq_read_msg(cl, mei_hdr, cmpl_list);
-		if (ret) {
-			dev_err(dev->dev, "mei_cl_irq_read_msg failed = %d\n",
-					ret);
-			goto end;
-		}
 	}
 
+
 reset_slots:
 	/* reset the number of slots and header */
 	*slots = mei_count_full_read_slots(dev);
@@ -636,4 +638,3 @@ out:
 		schedule_delayed_work(&dev->timer_work, 2 * HZ);
 	mutex_unlock(&dev->device_lock);
 }
-

drivers/misc/mei/main.c

@@ -192,8 +192,8 @@ static ssize_t mei_read(struct file *file, char __user *ubuf,
 		goto out;
 	}
 
-	if (cl->read_cb) {
+	cb = cl->read_cb;
-		cb = cl->read_cb;
+	if (cb) {
 		/* read what left */
 		if (cb->buf_idx > *offset)
 			goto copy_buffer;
@@ -218,7 +218,8 @@ static ssize_t mei_read(struct file *file, char __user *ubuf,
 	}
 
 	if (MEI_READ_COMPLETE != cl->reading_state &&
-			!waitqueue_active(&cl->rx_wait)) {
+		!waitqueue_active(&cl->rx_wait)) {
+
 		if (file->f_flags & O_NONBLOCK) {
 			rets = -EAGAIN;
 			goto out;
@@ -248,12 +249,20 @@ static ssize_t mei_read(struct file *file, char __user *ubuf,
 		rets = -ENODEV;
 		goto out;
 	}
+
 	if (cl->reading_state != MEI_READ_COMPLETE) {
 		rets = 0;
 		goto out;
 	}
-	/* now copy the data to user space */
+
 copy_buffer:
+	/* now copy the data to user space */
+	if (cb->status) {
+		rets = cb->status;
+		dev_dbg(dev->dev, "read operation failed %d\n", rets);
+		goto free;
+	}
+
 	dev_dbg(dev->dev, "buf.size = %d buf.idx= %ld\n",
 	    cb->response_buffer.size, cb->buf_idx);
 	if (length == 0 || ubuf == NULL || *offset > cb->buf_idx) {

drivers/misc/mei/mei_dev.h

@@ -199,6 +199,7 @@ struct mei_cl;
  * @buf_idx: last read index
  * @read_time: last read operation time stamp (iamthif)
  * @file_object: pointer to file structure
+ * @status: io status of the cb
  * @internal: communication between driver and FW flag
  */
 struct mei_cl_cb {
@@ -210,6 +211,7 @@ struct mei_cl_cb {
 	unsigned long buf_idx;
 	unsigned long read_time;
 	struct file *file_object;
+	int status;
 	u32 internal:1;
 };