linux/drivers/misc/mei
Chao Bi accb884b32 mei: set client's read_cb to NULL when flow control fails
In mei_cl_read_start(), if it fails to send flow control request, it
will release "cl->read_cb" but forget to set pointer to NULL, leaving
"cl->read_cb" still pointing to random memory, next time this client is
operated like mei_release(), it has chance to refer to this wrong pointer.

Fixes:  PANIC at kfree in mei_release()

[228781.826904] Call Trace:
[228781.829737]  [<c16249b8>] ? mei_cl_unlink+0x48/0xa0
[228781.835283]  [<c1624487>] mei_io_cb_free+0x17/0x30
[228781.840733]  [<c16265d8>] mei_release+0xa8/0x180
[228781.845989]  [<c135c610>] ? __fsnotify_parent+0xa0/0xf0
[228781.851925]  [<c1325a69>] __fput+0xd9/0x200
[228781.856696]  [<c1325b9d>] ____fput+0xd/0x10
[228781.861467]  [<c125cae1>] task_work_run+0x81/0xb0
[228781.866821]  [<c1242e53>] do_exit+0x283/0xa00
[228781.871786]  [<c1a82b36>] ? kprobe_flush_task+0x66/0xc0
[228781.877722]  [<c124eeb8>] ? __dequeue_signal+0x18/0x1a0
[228781.883657]  [<c124f072>] ? dequeue_signal+0x32/0x190
[228781.889397]  [<c1243744>] do_group_exit+0x34/0xa0
[228781.894750]  [<c12517b6>] get_signal_to_deliver+0x206/0x610
[228781.901075]  [<c12018d8>] do_signal+0x38/0x100
[228781.906136]  [<c1626d1c>] ? mei_read+0x42c/0x4e0
[228781.911393]  [<c12600a0>] ? wake_up_bit+0x30/0x30
[228781.916745]  [<c16268f0>] ? mei_poll+0x120/0x120
[228781.922001]  [<c1324be9>] ? vfs_read+0x89/0x160
[228781.927158]  [<c16268f0>] ? mei_poll+0x120/0x120
[228781.932414]  [<c133ca34>] ? fget_light+0x44/0xe0
[228781.937670]  [<c1324e58>] ? SyS_read+0x68/0x80
[228781.942730]  [<c12019f5>] do_notify_resume+0x55/0x70
[228781.948376]  [<c1a7de5d>] work_notifysig+0x29/0x30
[228781.953827]  [<c1a70000>] ? bad_area+0x5/0x3e

Cc: stable <stable@vger.kernel.org> # 3.9+
Signed-off-by: Chao Bi <chao.bi@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-18 10:07:36 -08:00
..
Kconfig mei: move mei-me to separate module 2013-03-29 08:32:21 -07:00
Makefile mei: nfc: Initial nfc implementation 2013-04-10 18:56:53 -07:00
amthif.c mei: fix syntax in comments and debug output 2014-01-08 15:28:27 -08:00
bus.c mei: bus: propagate error code returned by mei_me_cl_by_id 2013-10-29 16:20:43 -07:00
client.c mei: set client's read_cb to NULL when flow control fails 2014-02-18 10:07:36 -08:00
client.h Merge 3.12-rc3 into char-misc-next 2013-09-29 18:27:03 -07:00
debugfs.c mei: fix syntax in comments and debug output 2014-01-08 15:28:27 -08:00
hbm.c mei: revamp mei reset state machine 2014-01-13 14:57:21 -08:00
hbm.h mei: use hbm idle state to prevent spurious resets 2014-01-08 15:25:41 -08:00
hw-me-regs.h mei: add 9 series PCH mei device ids 2013-12-05 09:48:23 -08:00
hw-me.c mei: revamp mei reset state machine 2014-01-13 14:57:21 -08:00
hw-me.h mei: revamp mei_data2slots 2013-03-15 11:10:48 -07:00
hw.h mei: enable marking internal commands 2013-12-18 16:39:54 -08:00
init.c mei: limit the number of consecutive resets 2014-01-13 14:57:21 -08:00
interrupt.c mei: revamp mei reset state machine 2014-01-13 14:57:21 -08:00
main.c mei: fix syntax in comments and debug output 2014-01-08 15:28:27 -08:00
mei_dev.h mei: limit the number of consecutive resets 2014-01-13 14:57:21 -08:00
nfc.c mei: fix syntax in comments and debug output 2014-01-08 15:28:27 -08:00
pci-me.c mei: revamp mei reset state machine 2014-01-13 14:57:21 -08:00
wd.c mei: enable marking internal commands 2013-12-18 16:39:54 -08:00