summaryrefslogtreecommitdiffstats
path: root/drivers/misc/mei/interrupt.c
diff options
context:
space:
mode:
authorAlexander Usyskin <alexander.usyskin@intel.com>2016-04-17 18:16:03 +0200
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2016-04-30 23:08:08 +0200
commit6a8d648c8d1824117a9e9edb948ed1611fb013c0 (patch)
treed0db8401ceee131be91539da604aa9a5af9a6176 /drivers/misc/mei/interrupt.c
parentmei: drop global me_client_index (diff)
downloadlinux-6a8d648c8d1824117a9e9edb948ed1611fb013c0.tar.xz
linux-6a8d648c8d1824117a9e9edb948ed1611fb013c0.zip
mei: fix NULL dereferencing during FW initiated disconnection
In the case when disconnection is initiated from the FW the driver is flushing items from the write control list while iterating over it: mei_irq_write_handler() list_for_each_entry_safe(ctrl_wr_list) <-- outer loop mei_cl_irq_disconnect_rsp() mei_cl_set_disconnected() mei_io_list_flush(ctrl_wr_list) <-- destorying list We move the list flushing to the completion routine. Cc: <stable@vger.kernel.org> #4.2+ Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/misc/mei/interrupt.c')
-rw-r--r--drivers/misc/mei/interrupt.c5
1 files changed, 1 insertions, 4 deletions
diff --git a/drivers/misc/mei/interrupt.c b/drivers/misc/mei/interrupt.c
index 1e5cb1f704f8..704dc6caad6d 100644
--- a/drivers/misc/mei/interrupt.c
+++ b/drivers/misc/mei/interrupt.c
@@ -194,10 +194,7 @@ static int mei_cl_irq_disconnect_rsp(struct mei_cl *cl, struct mei_cl_cb *cb,
return -EMSGSIZE;
ret = mei_hbm_cl_disconnect_rsp(dev, cl);
- mei_cl_set_disconnected(cl);
- mei_io_cb_free(cb);
- mei_me_cl_put(cl->me_cl);
- cl->me_cl = NULL;
+ list_move_tail(&cb->list, &cmpl_list->list);
return ret;
}