diff options
| author | Alexander Usyskin <alexander.usyskin@intel.com> | 2016-04-17 12:16:03 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2016-06-01 12:15:50 -0700 |
| commit | 2826506a7fc8a165292b109c5ad4456d60b1e580 (patch) | |
| tree | b2f1f1dc09011197e860772b474ab1763f34af08 | |
| parent | 2ceff6c403894da9de23a52c20bfcd81d8659a50 (diff) | |
mei: fix NULL dereferencing during FW initiated disconnection
commit 6a8d648c8d1824117a9e9edb948ed1611fb013c0 upstream.
In the case when disconnection is initiated from the FW
the driver is flushing items from the write control list while
iterating over it:
mei_irq_write_handler()
list_for_each_entry_safe(ctrl_wr_list) <-- outer loop
mei_cl_irq_disconnect_rsp()
mei_cl_set_disconnected()
mei_io_list_flush(ctrl_wr_list) <-- destorying list
We move the list flushing to the completion routine.
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/misc/mei/client.c | 4 | ||||
| -rw-r--r-- | drivers/misc/mei/hbm.c | 3 | ||||
| -rw-r--r-- | drivers/misc/mei/interrupt.c | 5 |
3 files changed, 6 insertions, 6 deletions
diff --git a/drivers/misc/mei/client.c b/drivers/misc/mei/client.c index a6c87c713193..958af84884b5 100644 --- a/drivers/misc/mei/client.c +++ b/drivers/misc/mei/client.c @@ -1735,6 +1735,10 @@ void mei_cl_complete(struct mei_cl *cl, struct mei_cl_cb *cb) wake_up(&cl->wait); break; + case MEI_FOP_DISCONNECT_RSP: + mei_io_cb_free(cb); + mei_cl_set_disconnected(cl); + break; default: BUG_ON(0); } diff --git a/drivers/misc/mei/hbm.c b/drivers/misc/mei/hbm.c index e7b7aad0999b..fd8a9f057ea6 100644 --- a/drivers/misc/mei/hbm.c +++ b/drivers/misc/mei/hbm.c @@ -873,8 +873,7 @@ static int mei_hbm_fw_disconnect_req(struct mei_device *dev, cb = mei_io_cb_init(cl, MEI_FOP_DISCONNECT_RSP, NULL); if (!cb) return -ENOMEM; - cl_dbg(dev, cl, "add disconnect response as first\n"); - list_add(&cb->list, &dev->ctrl_wr_list.list); + list_add_tail(&cb->list, &dev->ctrl_wr_list.list); } return 0; } diff --git a/drivers/misc/mei/interrupt.c b/drivers/misc/mei/interrupt.c index 64b568a0268d..44471edb62f7 100644 --- a/drivers/misc/mei/interrupt.c +++ b/drivers/misc/mei/interrupt.c @@ -184,10 +184,7 @@ static int mei_cl_irq_disconnect_rsp(struct mei_cl *cl, struct mei_cl_cb *cb, return -EMSGSIZE; ret = mei_hbm_cl_disconnect_rsp(dev, cl); - mei_cl_set_disconnected(cl); - mei_io_cb_free(cb); - mei_me_cl_put(cl->me_cl); - cl->me_cl = NULL; + list_move_tail(&cb->list, &cmpl_list->list); return ret; } |