mei: fix reading large reposnes

While writting to device is limitted to max_msg_length advertized
in client properites the read can be much longer delivered consequiting chunks.

We use krealloc to enlarge the buffer when needed.

Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/misc/mei/bus.c

@@ -286,7 +286,7 @@ int __mei_cl_recv(struct mei_cl *cl, u8 *buf, size_t length)
 	mutex_lock(&dev->device_lock);
 
 	if (!cl->read_cb) {
-		err = mei_cl_read_start(cl);
+		err = mei_cl_read_start(cl, length);
 		if (err < 0) {
 			mutex_unlock(&dev->device_lock);
 			return err;
@@ -378,7 +378,7 @@ static void mei_bus_event_work(struct work_struct *work)
 	device->events = 0;
 
 	/* Prepare for the next read */
-	mei_cl_read_start(device->cl);
+	mei_cl_read_start(device->cl, 0);
 }
 
 int mei_cl_register_event_cb(struct mei_cl_device *device,
@@ -392,7 +392,7 @@ int mei_cl_register_event_cb(struct mei_cl_device *device,
 	device->event_context = context;
 	INIT_WORK(&device->event_work, mei_bus_event_work);
 
-	mei_cl_read_start(device->cl);
+	mei_cl_read_start(device->cl, 0);
 
 	return 0;
 }
@@ -436,7 +436,7 @@ int mei_cl_enable_device(struct mei_cl_device *device)
 	mutex_unlock(&dev->device_lock);
 
 	if (device->event_cb && !cl->read_cb)
-		mei_cl_read_start(device->cl);
+		mei_cl_read_start(device->cl, 0);
 
 	if (!device->ops || !device->ops->enable)
 		return 0;

drivers/misc/mei/client.c

@@ -624,7 +624,7 @@ int mei_cl_flow_ctrl_reduce(struct mei_cl *cl)
  *
  * returns 0 on success, <0 on failure.
  */
-int mei_cl_read_start(struct mei_cl *cl)
+int mei_cl_read_start(struct mei_cl *cl, size_t length)
 {
 	struct mei_device *dev;
 	struct mei_cl_cb *cb;
@@ -657,8 +657,9 @@ int mei_cl_read_start(struct mei_cl *cl)
 	if (!cb)
 		return -ENOMEM;
 
-	rets = mei_io_cb_alloc_resp_buf(cb,
-			dev->me_clients[i].props.max_msg_length);
+	/* always allocate at least client max message */
+	length = max_t(size_t, length, dev->me_clients[i].props.max_msg_length);
+	rets = mei_io_cb_alloc_resp_buf(cb, length);
 	if (rets)
 		goto err;
 

drivers/misc/mei/client.h

@@ -87,7 +87,7 @@ int mei_cl_flow_ctrl_reduce(struct mei_cl *cl);
 bool mei_cl_is_other_connecting(struct mei_cl *cl);
 int mei_cl_disconnect(struct mei_cl *cl);
 int mei_cl_connect(struct mei_cl *cl, struct file *file);
-int mei_cl_read_start(struct mei_cl *cl);
+int mei_cl_read_start(struct mei_cl *cl, size_t length);
 int mei_cl_write(struct mei_cl *cl, struct mei_cl_cb *cb, bool blocking);
 
 void mei_host_client_init(struct work_struct *work);

drivers/misc/mei/interrupt.c

@@ -145,9 +145,21 @@ static int mei_cl_irq_read_msg(struct mei_device *dev,
 		}
 
 		if (cb->response_buffer.size < mei_hdr->length + cb->buf_idx) {
-			dev_warn(&dev->pdev->dev, "message overflow.\n");
-			list_del(&cb->list);
-			return -ENOMEM;
+			dev_dbg(&dev->pdev->dev, "message overflow. size %d len %d idx %ld\n",
+				cb->response_buffer.size,
+				mei_hdr->length, cb->buf_idx);
+			cb->response_buffer.data =
+					krealloc(cb->response_buffer.data,
+					mei_hdr->length + cb->buf_idx,
+					GFP_KERNEL);
+
+			if (!cb->response_buffer.data) {
+				dev_err(&dev->pdev->dev, "allocation failed.\n");
+				list_del(&cb->list);
+				return -ENOMEM;
+			}
+			cb->response_buffer.size =
+				mei_hdr->length + cb->buf_idx;
 		}
 
 		buffer = cb->response_buffer.data + cb->buf_idx;

drivers/misc/mei/main.c

@@ -244,7 +244,7 @@ static ssize_t mei_read(struct file *file, char __user *ubuf,
 		goto out;
 	}
 
-	err = mei_cl_read_start(cl);
+	err = mei_cl_read_start(cl, length);
 	if (err && err != -EBUSY) {
 		dev_dbg(&dev->pdev->dev,
 			"mei start read failure with status = %d\n", err);
@@ -292,9 +292,8 @@ static ssize_t mei_read(struct file *file, char __user *ubuf,
 	}
 	/* now copy the data to user space */
 copy_buffer:
-	dev_dbg(&dev->pdev->dev, "cb->response_buffer size - %d\n",
-	    cb->response_buffer.size);
-	dev_dbg(&dev->pdev->dev, "cb->buf_idx - %lu\n", cb->buf_idx);
+	dev_dbg(&dev->pdev->dev, "buf.size = %d buf.idx= %ld\n",
+	    cb->response_buffer.size, cb->buf_idx);
 	if (length == 0 || ubuf == NULL || *offset > cb->buf_idx) {
 		rets = -EMSGSIZE;
 		goto free;