summaryrefslogtreecommitdiff
path: root/drivers/misc/mei/hw-me.c
diff options
context:
space:
mode:
authorTomas Winkler <tomas.winkler@intel.com>2018-07-12 17:10:08 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2018-07-12 17:23:19 +0300
commitde8774371cdc4c18cd118490e0d61eccd5f2c4d8 (patch)
tree30fb1acac5d1fc5f5caeb47de3775f326a8112a2 /drivers/misc/mei/hw-me.c
parenta103af1b64d74853a5e08ca6c86aeb0e5c6ca4f1 (diff)
downloadlinux-de8774371cdc4c18cd118490e0d61eccd5f2c4d8.tar.xz
mei: check for error returned from mei_hbuf_empty_slots()
mei_hbuf_empty_slots() may return with an error in case of circular buffer overflow. This type of error may be caused only by a bug. However currently, the error won't be detected due signed type promotion in comparison to u32. We add explicit check for less then zero and explicit cast in comparison to suppress singn-compare warning. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/misc/mei/hw-me.c')
-rw-r--r--drivers/misc/mei/hw-me.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/drivers/misc/mei/hw-me.c b/drivers/misc/mei/hw-me.c
index 334ab02e1de2..a12b464bc0b4 100644
--- a/drivers/misc/mei/hw-me.c
+++ b/drivers/misc/mei/hw-me.c
@@ -540,8 +540,11 @@ static int mei_me_hbuf_write(struct mei_device *dev,
empty_slots = mei_hbuf_empty_slots(dev);
dev_dbg(dev->dev, "empty slots = %hu.\n", empty_slots);
+ if (empty_slots < 0)
+ return -EOVERFLOW;
+
dw_cnt = mei_data2slots(length);
- if (empty_slots < 0 || dw_cnt > empty_slots)
+ if (dw_cnt > (u32)empty_slots)
return -EMSGSIZE;
mei_me_hcbww_write(dev, *((u32 *) header));