Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2367913imu;
        Thu, 24 Jan 2019 11:31:11 -0800 (PST)
X-Google-Smtp-Source: ALg8bN6friwVkWmUiW6HU3B8TvyfsH9LG9au1cCHCfpwIgG7sbExwcgHqrGwQrPpXgRGqfjF/9nc
X-Received: by 2002:a63:ed42:: with SMTP id m2mr7175616pgk.147.1548358270934;
        Thu, 24 Jan 2019 11:31:10 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1548358270; cv=none;
        d=google.com; s=arc-20160816;
        b=SyulwVY1XFVvAQezUPXQ5A9wNbrIhLCiyGnADiBIzcRxc792vvTWaMzqJevZqApGxo
         WBmyw3j6qfJAIGWr+Zh7msqL55W7fQqJtGpjVa4liifqysGSR5+sqLOwO/myD83MxA0P
         tlwk0q7dfVLSzjVl3lL3SCKPhMuQjkW04q/XTpoWG4Iipihw11//NYZfnxbh5k5S528n
         Hc4Zg461Yg/qjWYrZ0Pfv2O0TD9GAo/PzUkSof30QHtRNq9YPfL+7HYbd459GP7IL9Qu
         EEG85SDwvWrzerKy/qGdGVQy7qO4truFGdUiyBCi4c0SuqWL6PAm/8kTMysinEzMhviE
         rrMg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=/KU2sfZ1BCbFJCHpJygF3kBkbVgQyddHlJtT+zuSgPM=;
        b=NSKCOib8cLggDF2Vtbz1P9mtkRADUflWLyOwNC5dR5ADgXqPlP2EJmvCiQLrdAvkdp
         O7ADZ0j8ZuFtimt8EVYUbPMNhTeCf0Tm40cP5Lr71Q8s8Xe0VKYgLFqIFrT0P+Hd+DuO
         xv3oFP12lP5eM+rnhFGbglBkbt/YfxlkGV2IwsEkxiazmK08SxLt5NTbnoZrihZNcuDZ
         jvRf6GZLJk3r9esTJFEqeW3nucBLxcN3JU5Q1Rjj4T4I6+QHG7QTvSPyniOskZ0tLP22
         cLW7e7eA74V5MGmmw4Xu9bajpDny8WNVG4f0rENWpTk1cdolfJWvdPWT6m5cuTBxIgnR
         3YlA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=hSlFUZQ2;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d13si22519353pgu.40.2019.01.24.11.30.55;
        Thu, 24 Jan 2019 11:31:10 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=hSlFUZQ2;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731023AbfAXT2l (ORCPT <rfc822;ivid.suvarna@gmail.com>
        + 99 others); Thu, 24 Jan 2019 14:28:41 -0500
Received: from mail.kernel.org ([198.145.29.99]:55448 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1731018AbfAXT2i (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 24 Jan 2019 14:28:38 -0500
Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 1BDFA218FC;
        Thu, 24 Jan 2019 19:28:36 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1548358117;
        bh=TJqqGn5C1BbUCFdFhRvH3EOSUhTtU0/QoU05477jDEE=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=hSlFUZQ2ljOaVa9yR3O/5hvLIOvK6p+CyPXhiIh+3S1obm84Bd1rAEjhb9fN/RuzE
         fTVfy90fZ74jZP8WjRX6L59jgT3Ig3az8ag8RgEA5Jp1WeRkkLn7p6Oqpp5WxmCWLQ
         EKsjWRMOLtbVO+xs4eGCfsAiPymMoIwWI+ryuZ4A=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Corey Minyard <cminyard@mvista.com>
Subject: [PATCH 4.4 104/104] ipmi:ssif: Fix handling of multi-part return messages
Date:   Thu, 24 Jan 2019 20:20:33 +0100
Message-Id: <20190124190205.859658191@linuxfoundation.org>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20190124190154.968308875@linuxfoundation.org>
References: <20190124190154.968308875@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
X-Patchwork-Hint: ignore
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Corey Minyard <cminyard@mvista.com>

commit 7d6380cd40f7993f75c4bde5b36f6019237e8719 upstream.

The block number was not being compared right, it was off by one
when checking the response.

Some statistics wouldn't be incremented properly in some cases.

Check to see if that middle-part messages always have 31 bytes of
data.

Signed-off-by: Corey Minyard <cminyard@mvista.com>
Cc: stable@vger.kernel.org # 4.4
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/ipmi/ipmi_ssif.c |   25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

--- a/drivers/char/ipmi/ipmi_ssif.c
+++ b/drivers/char/ipmi/ipmi_ssif.c
@@ -637,8 +637,9 @@ static void msg_done_handler(struct ssif
 
 		/* Remove the multi-part read marker. */
 		len -= 2;
+		data += 2;
 		for (i = 0; i < len; i++)
-			ssif_info->data[i] = data[i+2];
+			ssif_info->data[i] = data[i];
 		ssif_info->multi_len = len;
 		ssif_info->multi_pos = 1;
 
@@ -666,8 +667,19 @@ static void msg_done_handler(struct ssif
 		}
 
 		blocknum = data[0];
+		len--;
+		data++;
+
+		if (blocknum != 0xff && len != 31) {
+		    /* All blocks but the last must have 31 data bytes. */
+			result = -EIO;
+			if (ssif_info->ssif_debug & SSIF_DEBUG_MSG)
+				pr_info("Received middle message <31\n");
 
-		if (ssif_info->multi_len + len - 1 > IPMI_MAX_MSG_LENGTH) {
+			goto continue_op;
+		}
+
+		if (ssif_info->multi_len + len > IPMI_MAX_MSG_LENGTH) {
 			/* Received message too big, abort the operation. */
 			result = -E2BIG;
 			if (ssif_info->ssif_debug & SSIF_DEBUG_MSG)
@@ -676,16 +688,14 @@ static void msg_done_handler(struct ssif
 			goto continue_op;
 		}
 
-		/* Remove the blocknum from the data. */
-		len--;
 		for (i = 0; i < len; i++)
-			ssif_info->data[i + ssif_info->multi_len] = data[i + 1];
+			ssif_info->data[i + ssif_info->multi_len] = data[i];
 		ssif_info->multi_len += len;
 		if (blocknum == 0xff) {
 			/* End of read */
 			len = ssif_info->multi_len;
 			data = ssif_info->data;
-		} else if (blocknum + 1 != ssif_info->multi_pos) {
+		} else if (blocknum != ssif_info->multi_pos) {
 			/*
 			 * Out of sequence block, just abort.  Block
 			 * numbers start at zero for the second block,
@@ -713,6 +723,7 @@ static void msg_done_handler(struct ssif
 		}
 	}
 
+ continue_op:
 	if (result < 0) {
 		ssif_inc_stat(ssif_info, receive_errors);
 	} else {
@@ -720,8 +731,6 @@ static void msg_done_handler(struct ssif
 		ssif_inc_stat(ssif_info, received_message_parts);
 	}
 
-
- continue_op:
 	if (ssif_info->ssif_debug & SSIF_DEBUG_STATE)
 		pr_info(PFX "DONE 1: state = %d, result=%d.\n",
 			ssif_info->ssif_state, result);