Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6a8d648c authored by Alexander Usyskin's avatar Alexander Usyskin Committed by Greg Kroah-Hartman
Browse files

mei: fix NULL dereferencing during FW initiated disconnection 



In the case when disconnection is initiated from the FW
the driver is flushing items from the write control list while
iterating over it:

mei_irq_write_handler()
    list_for_each_entry_safe(ctrl_wr_list)         <-- outer loop
         mei_cl_irq_disconnect_rsp()
             mei_cl_set_disconnected()
                 mei_io_list_flush(ctrl_wr_list)   <-- destorying list

We move the list flushing to the completion routine.

Cc: <stable@vger.kernel.org> #4.2+
Signed-off-by: default avatarAlexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: default avatarTomas Winkler <tomas.winkler@intel.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent cc25aa94

drivers/misc/mei/client.c

+4 −0
Original line number Diff line number Diff line
@@ -1766,6 +1766,10 @@ void mei_cl_complete(struct mei_cl *cl, struct mei_cl_cb *cb) 
		if (waitqueue_active(&cl->wait))

			wake_up(&cl->wait);



		break;

	case MEI_FOP_DISCONNECT_RSP:

		mei_io_cb_free(cb);

		mei_cl_set_disconnected(cl);

		break;

	default:

		BUG_ON(0);

drivers/misc/mei/hbm.c

+1 −2
Original line number Diff line number Diff line
@@ -877,8 +877,7 @@ static int mei_hbm_fw_disconnect_req(struct mei_device *dev, 
		cb = mei_io_cb_init(cl, MEI_FOP_DISCONNECT_RSP, NULL);

		if (!cb)

			return -ENOMEM;

		cl_dbg(dev, cl, "add disconnect response as first\n");

		list_add(&cb->list, &dev->ctrl_wr_list.list);

		list_add_tail(&cb->list, &dev->ctrl_wr_list.list);

	}

	return 0;

}

drivers/misc/mei/interrupt.c

+1 −4
Original line number Diff line number Diff line
@@ -194,10 +194,7 @@ static int mei_cl_irq_disconnect_rsp(struct mei_cl *cl, struct mei_cl_cb *cb, 
		return -EMSGSIZE;



	ret = mei_hbm_cl_disconnect_rsp(dev, cl);

	mei_cl_set_disconnected(cl);

	mei_io_cb_free(cb);

	mei_me_cl_put(cl->me_cl);

	cl->me_cl = NULL;

	list_move_tail(&cb->list, &cmpl_list->list);



	return ret;

}