From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:52017 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1161710AbcE3Ub5 (ORCPT ); Mon, 30 May 2016 16:31:57 -0400 Subject: Patch "mei: fix NULL dereferencing during FW initiated disconnection" has been added to the 4.6-stable tree To: alexander.usyskin@intel.com, gregkh@linuxfoundation.org, tomas.winkler@intel.com Cc: , From: Date: Mon, 30 May 2016 13:24:06 -0700 Message-ID: <1464639846234123@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled mei: fix NULL dereferencing during FW initiated disconnection to the 4.6-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: mei-fix-null-dereferencing-during-fw-initiated-disconnection.patch and it can be found in the queue-4.6 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From 6a8d648c8d1824117a9e9edb948ed1611fb013c0 Mon Sep 17 00:00:00 2001 From: Alexander Usyskin Date: Sun, 17 Apr 2016 12:16:03 -0400 Subject: mei: fix NULL dereferencing during FW initiated disconnection From: Alexander Usyskin commit 6a8d648c8d1824117a9e9edb948ed1611fb013c0 upstream. In the case when disconnection is initiated from the FW the driver is flushing items from the write control list while iterating over it: mei_irq_write_handler() list_for_each_entry_safe(ctrl_wr_list) <-- outer loop mei_cl_irq_disconnect_rsp() mei_cl_set_disconnected() mei_io_list_flush(ctrl_wr_list) <-- destorying list We move the list flushing to the completion routine. Signed-off-by: Alexander Usyskin Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman --- drivers/misc/mei/client.c | 4 ++++ drivers/misc/mei/hbm.c | 3 +-- drivers/misc/mei/interrupt.c | 5 +---- 3 files changed, 6 insertions(+), 6 deletions(-) --- a/drivers/misc/mei/client.c +++ b/drivers/misc/mei/client.c @@ -1767,6 +1767,10 @@ void mei_cl_complete(struct mei_cl *cl, wake_up(&cl->wait); break; + case MEI_FOP_DISCONNECT_RSP: + mei_io_cb_free(cb); + mei_cl_set_disconnected(cl); + break; default: BUG_ON(0); } --- a/drivers/misc/mei/hbm.c +++ b/drivers/misc/mei/hbm.c @@ -882,8 +882,7 @@ static int mei_hbm_fw_disconnect_req(str cb = mei_io_cb_init(cl, MEI_FOP_DISCONNECT_RSP, NULL); if (!cb) return -ENOMEM; - cl_dbg(dev, cl, "add disconnect response as first\n"); - list_add(&cb->list, &dev->ctrl_wr_list.list); + list_add_tail(&cb->list, &dev->ctrl_wr_list.list); } return 0; } --- a/drivers/misc/mei/interrupt.c +++ b/drivers/misc/mei/interrupt.c @@ -194,10 +194,7 @@ static int mei_cl_irq_disconnect_rsp(str return -EMSGSIZE; ret = mei_hbm_cl_disconnect_rsp(dev, cl); - mei_cl_set_disconnected(cl); - mei_io_cb_free(cb); - mei_me_cl_put(cl->me_cl); - cl->me_cl = NULL; + list_move_tail(&cb->list, &cmpl_list->list); return ret; } Patches currently in stable-queue which might be from alexander.usyskin@intel.com are queue-4.6/mei-fix-null-dereferencing-during-fw-initiated-disconnection.patch queue-4.6/mei-amthif-discard-not-read-messages.patch queue-4.6/mei-bus-call-mei_cl_read_start-under-device-lock.patch