shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-03-31 10:13:04 +09:00
Code Issues Packages Projects Releases Wiki Activity
Files
2bc744aa8bb9eaff8facd237c359cf64bf6ec239
linux/drivers
History
Chao Bi 2bc744aa8b mei: set client's read_cb to NULL when flow control fails 
commit accb884b32 upstream.

In mei_cl_read_start(), if it fails to send flow control request, it
will release "cl->read_cb" but forget to set pointer to NULL, leaving
"cl->read_cb" still pointing to random memory, next time this client is
operated like mei_release(), it has chance to refer to this wrong pointer.

Fixes:  PANIC at kfree in mei_release()

[228781.826904] Call Trace:
[228781.829737]  [<c16249b8>] ? mei_cl_unlink+0x48/0xa0
[228781.835283]  [<c1624487>] mei_io_cb_free+0x17/0x30
[228781.840733]  [<c16265d8>] mei_release+0xa8/0x180
[228781.845989]  [<c135c610>] ? __fsnotify_parent+0xa0/0xf0
[228781.851925]  [<c1325a69>] __fput+0xd9/0x200
[228781.856696]  [<c1325b9d>] ____fput+0xd/0x10
[228781.861467]  [<c125cae1>] task_work_run+0x81/0xb0
[228781.866821]  [<c1242e53>] do_exit+0x283/0xa00
[228781.871786]  [<c1a82b36>] ? kprobe_flush_task+0x66/0xc0
[228781.877722]  [<c124eeb8>] ? __dequeue_signal+0x18/0x1a0
[228781.883657]  [<c124f072>] ? dequeue_signal+0x32/0x190
[228781.889397]  [<c1243744>] do_group_exit+0x34/0xa0
[228781.894750]  [<c12517b6>] get_signal_to_deliver+0x206/0x610
[228781.901075]  [<c12018d8>] do_signal+0x38/0x100
[228781.906136]  [<c1626d1c>] ? mei_read+0x42c/0x4e0
[228781.911393]  [<c12600a0>] ? wake_up_bit+0x30/0x30
[228781.916745]  [<c16268f0>] ? mei_poll+0x120/0x120
[228781.922001]  [<c1324be9>] ? vfs_read+0x89/0x160
[228781.927158]  [<c16268f0>] ? mei_poll+0x120/0x120
[228781.932414]  [<c133ca34>] ? fget_light+0x44/0xe0
[228781.937670]  [<c1324e58>] ? SyS_read+0x68/0x80
[228781.942730]  [<c12019f5>] do_notify_resume+0x55/0x70
[228781.948376]  [<c1a7de5d>] work_notifysig+0x29/0x30
[228781.953827]  [<c1a70000>] ? bad_area+0x5/0x3e

Signed-off-by: Chao Bi <chao.bi@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-03-06 21:30:10 -08:00
..
accessibility
acpi
ACPI / processor: Rework processor throttling with work_on_cpu()
2014-03-06 21:30:09 -08:00
amba
ata
sata_sil: apply MOD15WRITE quirk to TOSHIBA MK2561GSYN
2014-03-06 21:30:09 -08:00
atm
atm: idt77252: fix dev refcnt leak
2013-12-08 07:29:25 -08:00
auxdisplay
base
PM / runtime: Use pm_runtime_put_sync() in __device_release_driver()
2013-12-04 10:56:59 -08:00
bcma
bcma: add more core IDs
2013-05-17 14:31:05 -04:00
block
xen-blkfront: handle backend CLOSED without CLOSING
2014-02-22 12:41:25 -08:00
bluetooth
Bluetooth: Add support for BCM20702A0 [0b05, 17cb]
2013-10-13 16:08:32 -07:00
bus
bus: mvebu: fix mistake in PCIe window target attribute for Kirkwood
2013-04-11 17:05:37 +00:00
cdrom
drivers/cdrom/cdrom.c: use kzalloc() for failing hardware
2013-07-13 11:42:26 -07:00
char
raw: test against runtime value of max_raw_minors
2014-02-22 12:41:27 -08:00
clk
clk: exynos5250: fix sysmmu_mfc{l,r} gate clocks
2014-01-15 15:28:52 -08:00
clocksource
clocksource: em_sti: Set cpu_possible_mask to fix SMP broadcast
2014-01-15 15:28:45 -08:00
connector
connector: improved unaligned access error fix
2013-12-08 07:29:25 -08:00
cpufreq
cpufreq: powernow-k8: Initialize per-cpu data-structures properly
2014-03-06 21:30:09 -08:00
cpuidle
cpuidle: coupled: fix race condition between pokes and safe state
2013-09-26 17:18:02 -07:00
crypto
crypto: caam - Fixed the memory out of bound overwrite issue
2013-08-04 16:50:57 +08:00
dca
devfreq
dio
dma
net_dma: mark broken
2014-01-09 12:24:21 -08:00
edac
i7core_edac: Fix PCI device reference count
2014-03-06 21:30:09 -08:00
eisa
Revert "EISA: Initialize device before its resources"
2014-02-13 13:47:59 -08:00
extcon
Merge tag 'gpio-for-linus' of git://git.secretlab.ca/git/linux
2013-05-09 09:59:16 -07:00
firewire
firewire: sbp2: bring back WRITE SAME support
2014-01-09 12:24:21 -08:00
firmware
dmi: add support for exact DMI matches in addition to substring matching
2013-11-29 11:11:53 -08:00
gpio
gpio-rcar: R-Car GPIO IRQ share interrupt
2014-01-15 15:28:45 -08:00
gpu
drm/nv50/disp: use correct register to determine DP display bpp
2014-03-06 21:30:00 -08:00
hid
HID: Revert "Revert "HID: Fix logitech-dj: missing Unifying device issue""
2014-01-15 15:28:45 -08:00
hsi
hv
Drivers: hv: vmbus: Don't timeout during the initial connection with host
2014-02-22 12:41:28 -08:00
hwmon
hwmon: (ntc_thermistor) Avoid math overflow
2014-02-22 12:41:27 -08:00
hwspinlock
Merge tag 'hwspinlock-3.10' of git://git.kernel.org/pub/scm/linux/kernel/git/ohad/hwspinlock
2013-05-07 14:01:27 -07:00
i2c
i2c: i801: SMBus patch for Intel Coleto Creek DeviceIDs
2014-02-13 13:48:03 -08:00
ide
block_device_operations->release() should return void
2013-05-07 02:16:21 -04:00
idle
x86 idle: Repair large-server 50-watt idle-power regression
2014-01-09 12:24:21 -08:00
iio
iio: adis16400: Set timestamp as the last element in chan_spec
2014-02-22 12:41:27 -08:00
infiniband
IB/qib: Add missing serdes init sequence
2014-02-22 12:41:29 -08:00
input
Input: allocate absinfo data when setting ABS capability
2014-01-09 12:24:24 -08:00
iommu
intel-iommu: fix off-by-one in pagetable freeing
2014-02-13 13:47:59 -08:00
ipack
irqchip
irqchip: armada-370-xp: fix IPI race condition
2014-02-20 11:06:11 -08:00
isdn
net: rework recvmsg handler msg_name and msg_namelen logic
2013-12-08 07:29:25 -08:00
leds
leds: wm831x-status: Request a REG resource
2013-09-26 17:18:27 -07:00
lguest
lguest: clear cached last cpu when guest_set_pgd() called.
2013-05-08 10:49:18 +09:30
macintosh
powerpc/windfarm: Fix noisy slots-fan on Xserve (rm31)
2013-08-11 18:35:20 -07:00
mailbox
md
md/raid5: Fix CPU hotplug callback registration
2014-02-22 12:41:29 -08:00
media
mxl111sf: Fix compile when CONFIG_DVB_USB_MXL111SF is unset
2014-02-20 11:06:11 -08:00
memory
drivers/memory: don't check resource with devm_ioremap_resource
2013-05-18 11:55:52 +02:00
memstick
block_device_operations->release() should return void
2013-05-07 02:16:21 -04:00
message
Merge branch 'for-3.10/core' of git://git.kernel.dk/linux-block
2013-05-08 10:13:35 -07:00
mfd
mfd: lpc_ich: iTCO_wdt patch for Intel Coleto Creek DeviceIDs
2014-02-13 13:48:03 -08:00
misc
mei: set client's read_cb to NULL when flow control fails
2014-03-06 21:30:10 -08:00
mmc
mmc: atmel-mci: fix timeout errors in SDIO mode when using DMA
2014-02-13 13:48:00 -08:00
mtd
mtd: mxc_nand: remove duplicated ecc_stats counting
2014-02-13 13:48:00 -08:00
net
can: kvaser_usb: check number of channels returned by HW
2014-03-06 21:30:10 -08:00
nfc
NFC: mei: Do not disable MEI devices from their remove routine
2013-05-21 10:48:41 +02:00
ntb
NTB: Correct debugfs to work with more than 1 NTB Device
2013-11-13 12:05:35 +09:00
nubus
nubus: Kill nubus_proc_detach_device()
2013-05-04 14:47:26 -04:00
of
of: fix PCI bus match for PCIe slots
2014-02-22 12:41:27 -08:00
oprofile
parisc
parisc: Fix interrupt routing for C8000 serial ports
2013-08-11 18:35:21 -07:00
parport
parport: parport_pc: remove double PCI ID for NetMos
2014-02-06 11:08:15 -08:00
pci
PCI: Enable INTx if BIOS left them disabled
2014-03-06 21:30:09 -08:00
pcmcia
pcmcia: at91_cf: fix gpio_get_value in at91_cf_get_status
2013-07-21 18:21:25 -07:00
pinctrl
pinctrl: protect pinctrl_list add
2014-02-20 11:06:11 -08:00
platform
hp_accel: Add a new PnP ID HPQ6007 for new HP laptops
2014-02-06 11:08:16 -08:00
pnp
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc
2013-05-02 10:16:16 -07:00
power
power: max17040: Fix NULL pointer dereference when there is no platform_data
2014-02-22 12:41:29 -08:00
pps
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2013-05-01 17:51:54 -07:00
ps3
ptp
ptp_pch: fix error handling in pch_probe()
2013-05-25 21:24:15 -07:00
pwm
drivers/pwm: don't check resource with devm_ioremap_resource
2013-05-18 11:55:58 +02:00
rapidio
RAPIDIO: IDT_GEN2: Fix build error.
2013-07-28 16:30:07 -07:00
regulator
mfd: tps6586x: correct device name of the regulator cell
2013-06-24 12:37:47 +01:00
remoteproc
Merge tag 'remoteproc-3.10' of git://git.kernel.org/pub/scm/linux/kernel/git/ohad/remoteproc
2013-05-07 14:04:56 -07:00
reset
reset: NULL deref on allocation failure
2013-04-12 10:26:24 +02:00
rpmsg
Merge tag 'rpmsg-3.10' of git://git.kernel.org/pub/scm/linux/kernel/git/ohad/rpmsg
2013-05-07 14:02:00 -07:00
rtc
rtc-cmos: Add an alarm disable quirk
2014-02-13 13:48:03 -08:00
s390
s390/3270: fix allocation of tty3270_screen structure
2014-01-09 12:24:24 -08:00
sbus
bbc_i2c: fix section mismatch warning
2013-03-31 19:29:12 -04:00
scsi
virtio-scsi: Fix hotcpu_notifier use-after-free with virtscsi_freeze
2014-02-06 11:08:17 -08:00
sfi
sh
sn
spi
spi: Fix crash with double message finalisation on error handling
2014-02-22 12:41:26 -08:00
ssb
Merge tag 'for-linus-20130509' of git://git.infradead.org/linux-mtd
2013-05-09 10:15:46 -07:00
ssbi
staging
staging:iio:ad799x fix error_free_irq which was freeing an irq that may not have been requested
2014-02-22 12:41:27 -08:00
target
target/iscsi: Fix network portal creation race
2014-02-06 11:08:17 -08:00
tc
thermal
drivers/thermal: don't check resource with devm_ioremap_resource
2013-05-18 11:57:30 +02:00
tty
vt: Fix secure clear screen
2014-02-22 12:41:27 -08:00
uio
Fix a few incorrectly checked [io_]remap_pfn_range() calls
2013-11-13 12:05:33 +09:00
usb
USB: ftdi_sio: add Cressi Leonardo PID
2014-03-06 21:30:10 -08:00
uwb
uwb: rename random32() to prandom_u32()
2013-04-29 18:28:43 -07:00
vfio
vfio: fix crash on rmmod
2013-06-05 08:54:16 -06:00
vhost
vhost/scsi: Fix incorrect usage of get_user_pages_fast write parameter
2013-11-13 12:05:32 +09:00
video
video: kyro: fix incorrect sizes when copying to userspace
2013-12-08 07:29:27 -08:00
virt
virtio
virtio: support unlocked queue poll
2013-07-28 16:29:55 -07:00
vlynq
vme
VME: Correct read/write alignment algorithm
2014-02-22 12:41:28 -08:00
w1
drivers/w1/masters: don't check resource with devm_ioremap_resource
2013-05-18 11:58:03 +02:00
watchdog
sc1200_wdt: Fix oops
2013-12-20 07:45:11 -08:00
xen
xen/gnttab: leave lazy MMU mode in the case of a m2p override failure
2013-12-11 22:36:27 -08:00
zorro
proc: Supply PDE attribute setting accessor functions
2013-05-01 17:29:18 -04:00
Kconfig
Merge tag 'drivers-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
2013-05-04 12:31:18 -07:00
Makefile
Merge tag 'drivers-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
2013-05-04 12:31:18 -07:00