forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/drivers/misc
History
Chao Bi 2bc744aa8b mei: set client's read_cb to NULL when flow control fails 
commit accb884b32 upstream.

In mei_cl_read_start(), if it fails to send flow control request, it
will release "cl->read_cb" but forget to set pointer to NULL, leaving
"cl->read_cb" still pointing to random memory, next time this client is
operated like mei_release(), it has chance to refer to this wrong pointer.

Fixes:  PANIC at kfree in mei_release()

[228781.826904] Call Trace:
[228781.829737]  [<c16249b8>] ? mei_cl_unlink+0x48/0xa0
[228781.835283]  [<c1624487>] mei_io_cb_free+0x17/0x30
[228781.840733]  [<c16265d8>] mei_release+0xa8/0x180
[228781.845989]  [<c135c610>] ? __fsnotify_parent+0xa0/0xf0
[228781.851925]  [<c1325a69>] __fput+0xd9/0x200
[228781.856696]  [<c1325b9d>] ____fput+0xd/0x10
[228781.861467]  [<c125cae1>] task_work_run+0x81/0xb0
[228781.866821]  [<c1242e53>] do_exit+0x283/0xa00
[228781.871786]  [<c1a82b36>] ? kprobe_flush_task+0x66/0xc0
[228781.877722]  [<c124eeb8>] ? __dequeue_signal+0x18/0x1a0
[228781.883657]  [<c124f072>] ? dequeue_signal+0x32/0x190
[228781.889397]  [<c1243744>] do_group_exit+0x34/0xa0
[228781.894750]  [<c12517b6>] get_signal_to_deliver+0x206/0x610
[228781.901075]  [<c12018d8>] do_signal+0x38/0x100
[228781.906136]  [<c1626d1c>] ? mei_read+0x42c/0x4e0
[228781.911393]  [<c12600a0>] ? wake_up_bit+0x30/0x30
[228781.916745]  [<c16268f0>] ? mei_poll+0x120/0x120
[228781.922001]  [<c1324be9>] ? vfs_read+0x89/0x160
[228781.927158]  [<c16268f0>] ? mei_poll+0x120/0x120
[228781.932414]  [<c133ca34>] ? fget_light+0x44/0xe0
[228781.937670]  [<c1324e58>] ? SyS_read+0x68/0x80
[228781.942730]  [<c12019f5>] do_notify_resume+0x55/0x70
[228781.948376]  [<c1a7de5d>] work_notifysig+0x29/0x30
[228781.953827]  [<c1a70000>] ? bad_area+0x5/0x3e

Signed-off-by: Chao Bi <chao.bi@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-03-06 21:30:10 -08:00
..
altera-stapl
c2port misc/c2port: convert to idr_alloc() 2013-02-27 19:10:17 -08:00
carma dmaengine: remove dma_async_memcpy_pending() macro 2013-01-07 22:05:09 -08:00
cb710 drivers/misc/cb710: add missing GENERIC_HARDIRQS dependency 2013-02-08 12:23:53 -08:00
eeprom misc: eeprom_93xx46: use spi_get_drvdata() and spi_set_drvdata() 2013-04-05 15:38:31 -07:00
ibmasm fs: Limit sys_mount to only request filesystem modules. 2013-03-03 19:36:31 -08:00
lis3lv02d lis3lv02d: don't wank with fasync() on ->release() 2013-04-29 15:41:46 -04:00
mei mei: set client's read_cb to NULL when flow control fails 2014-03-06 21:30:10 -08:00
sgi-gru drivers/misc/sgi-gru/grufile.c: fix info leak in gru_get_config_info() 2013-06-12 16:29:46 -07:00
sgi-xp SGI-XP: handle non-fatal traps 2012-12-20 17:40:20 -08:00
ti-st Char/Misc driver patches for 3.9-rc1 2013-02-21 13:57:13 -08:00
vmw_vmci Hoist memcpy_fromiovec/memcpy_toiovec into lib/ 2013-05-20 10:24:22 +09:30
ad525x_dpot-i2c.c misc: remove use of __devexit 2012-11-21 12:53:32 -08:00
ad525x_dpot-spi.c misc: remove use of __devexit 2012-11-21 12:53:32 -08:00
ad525x_dpot.c misc: remove use of __devinit 2012-11-21 12:51:53 -08:00
ad525x_dpot.h
apds990x.c misc: apds990x: add CONFIG_PM_SLEEP to suspend/resume functions 2013-03-29 08:50:52 -07:00
apds9802als.c misc: apds9802als: Fix suspend/resume 2013-04-11 12:39:02 -07:00
arm-charlcd.c misc: arm-charlcd: use module_platform_driver_probe() 2013-03-15 11:10:49 -07:00
atmel-ssc.c drivers/misc: don't check resource with devm_ioremap_resource 2013-05-18 11:55:54 +02:00
atmel_pwm.c misc: atmel_pwm: add deferred-probing support 2013-11-20 12:27:47 -08:00
atmel_tclib.c
bh1770glc.c misc: bh1770glc: add CONFIG_PM_SLEEP to suspend/resume functions 2013-03-29 08:50:51 -07:00
bh1780gli.c misc: bh1780gli: add CONFIG_PM_SLEEP to suspend/resume functions 2013-03-29 08:50:51 -07:00
bmp085-i2c.c misc: remove use of __devinit 2012-11-21 12:51:53 -08:00
bmp085-spi.c misc: remove use of __devinit 2012-11-21 12:51:53 -08:00
bmp085.c misc: remove use of __devinit 2012-11-21 12:51:53 -08:00
bmp085.h
cs5535-mfgpt.c cs5535-mfgpt: Fix quotation marks 2013-04-03 11:23:13 -07:00
ds1682.c
dummy-irq.c dummy-irq: require the user to specify an IRQ number 2013-05-16 18:08:57 -07:00
enclosure.c SCSI: enclosure: fix WARN_ON in dual path device removing 2013-12-11 22:36:27 -08:00
ep93xx_pwm.c misc: ep93xx_pwm: use module_platform_driver_probe() 2013-03-15 11:10:49 -07:00
fsa9480.c misc: fsa8480: Use dev_pm_ops 2013-04-11 12:39:02 -07:00
hmc6352.c
hpilo.c drivers/misc/hpilo: Correct panic when an AUX iLO is detected 2013-09-07 22:09:59 -07:00
hpilo.h
ics932s401.c
ioc4.c misc: remove use of __devexit 2012-11-21 12:53:32 -08:00
isl29003.c misc: isl29003: Use dev_pm_ops 2013-04-11 12:39:02 -07:00
isl29020.c
Kconfig Merge branch 'x86-paravirt-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2013-04-30 08:41:21 -07:00
kgdbts.c kgdb/kgdbts: support ppc64 2013-03-02 08:52:17 -06:00
lattice-ecp3-config.c misc: lattice-ecp3-config: use spi_get_drvdata() 2013-04-05 15:38:31 -07:00
lkdtm.c
Makefile misc: generic on-chip SRAM allocation driver 2013-04-29 18:28:13 -07:00
pch_phub.c misc: remove use of __devexit 2012-11-21 12:53:32 -08:00
phantom.c misc: remove use of __devexit 2012-11-21 12:53:32 -08:00
pti.c TTY/Serial merge for 3.8-rc1 2012-12-11 14:08:47 -08:00
spear13xx_pcie_gadget.c misc: remove use of __devexit 2012-11-21 12:53:32 -08:00
sram.c misc: generic on-chip SRAM allocation driver 2013-04-29 18:28:13 -07:00
ti_dac7512.c misc: remove use of __devexit 2012-11-21 12:53:32 -08:00
tifm_7xx1.c tifm: use module_pci_driver 2012-09-05 14:10:29 -07:00
tifm_core.c misc/tifm_core: convert to idr_alloc() 2013-02-27 19:10:17 -08:00
tsl2550.c misc: tsl2550: Use dev_pm_ops 2013-04-11 12:39:02 -07:00
vmw_balloon.c