aboutsummaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorTomas Winkler <tomas.winkler@intel.com>2018-08-27 15:40:16 -0400
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2018-09-12 03:14:24 -0400
commit34f1166afd67f9f48a08c52f36180048908506a4 (patch)
tree3cfc5dca74bda93248a655c58a54359f8fb08333 /drivers
parent69bf5313035926b0b6a6578de4f3168a8f5c19b8 (diff)
mei: bus: need to unlink client before freeing
In case a client fails to connect in mei_cldev_enable(), the caller won't call the mei_cldev_disable leaving the client in a linked stated. Upon driver unload the client structure will be freed in mei_cl_bus_dev_release(), leaving a stale pointer on a fail_list. This will eventually end up in crash during power down flow in mei_cl_set_disonnected(). RIP: mei_cl_set_disconnected+0x5/0x260[mei] Call trace: mei_cl_all_disconnect+0x22/0x30 mei_reset+0x194/0x250 __synchronize_hardirq+0x43/0x50 _cond_resched+0x15/0x30 mei_me_intr_clear+0x20/0x100 mei_stop+0x76/0xb0 mei_me_shutdown+0x3f/0x80 pci_device_shutdown+0x34/0x60 kernel_restart+0x0e/0x30 Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200455 Fixes: 'c110cdb17148 ("mei: bus: make a client pointer always available")' Cc: <stable@vger.kernel.org> 4.10+ Tested-by: Georg Müller <georgmueller@gmx.net> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/misc/mei/bus.c9
1 files changed, 4 insertions, 5 deletions
diff --git a/drivers/misc/mei/bus.c b/drivers/misc/mei/bus.c
index 13c6c9a2248a..fc3872fe7b25 100644
--- a/drivers/misc/mei/bus.c
+++ b/drivers/misc/mei/bus.c
@@ -521,17 +521,15 @@ int mei_cldev_enable(struct mei_cl_device *cldev)
521 521
522 cl = cldev->cl; 522 cl = cldev->cl;
523 523
524 mutex_lock(&bus->device_lock);
524 if (cl->state == MEI_FILE_UNINITIALIZED) { 525 if (cl->state == MEI_FILE_UNINITIALIZED) {
525 mutex_lock(&bus->device_lock);
526 ret = mei_cl_link(cl); 526 ret = mei_cl_link(cl);
527 mutex_unlock(&bus->device_lock);
528 if (ret) 527 if (ret)
529 return ret; 528 goto out;
530 /* update pointers */ 529 /* update pointers */
531 cl->cldev = cldev; 530 cl->cldev = cldev;
532 } 531 }
533 532
534 mutex_lock(&bus->device_lock);
535 if (mei_cl_is_connected(cl)) { 533 if (mei_cl_is_connected(cl)) {
536 ret = 0; 534 ret = 0;
537 goto out; 535 goto out;
@@ -875,12 +873,13 @@ static void mei_cl_bus_dev_release(struct device *dev)
875 873
876 mei_me_cl_put(cldev->me_cl); 874 mei_me_cl_put(cldev->me_cl);
877 mei_dev_bus_put(cldev->bus); 875 mei_dev_bus_put(cldev->bus);
876 mei_cl_unlink(cldev->cl);
878 kfree(cldev->cl); 877 kfree(cldev->cl);
879 kfree(cldev); 878 kfree(cldev);
880} 879}
881 880
882static const struct device_type mei_cl_device_type = { 881static const struct device_type mei_cl_device_type = {
883 .release = mei_cl_bus_dev_release, 882 .release = mei_cl_bus_dev_release,
884}; 883};
885 884
886/** 885/**
generated by cgit v1.2.2 (git 2.25.0) at 2026-01-09 03:42:12 -0500