Home Home > GIT Browse > SLE15
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2019-07-19 15:28:49 +0200
committerTakashi Iwai <tiwai@suse.de>2019-07-19 15:32:05 +0200
commitf1a0eb009556985cfb6683801ab1a071f3f21372 (patch)
tree7235480cb0667c29264d0a36e94834354d49356d
parent008cacf59c42a8a2e005ff7c243ca232010b1ba0 (diff)
mei: bus: need to unlink client before freeing (bsc#1051510).
-rw-r--r--patches.drivers/mei-bus-need-to-unlink-client-before-freeing.patch79
-rw-r--r--series.conf1
2 files changed, 80 insertions, 0 deletions
diff --git a/patches.drivers/mei-bus-need-to-unlink-client-before-freeing.patch b/patches.drivers/mei-bus-need-to-unlink-client-before-freeing.patch
new file mode 100644
index 0000000000..dcaf538c99
--- /dev/null
+++ b/patches.drivers/mei-bus-need-to-unlink-client-before-freeing.patch
@@ -0,0 +1,79 @@
+From 34f1166afd67f9f48a08c52f36180048908506a4 Mon Sep 17 00:00:00 2001
+From: Tomas Winkler <tomas.winkler@intel.com>
+Date: Mon, 27 Aug 2018 22:40:16 +0300
+Subject: [PATCH] mei: bus: need to unlink client before freeing
+Mime-version: 1.0
+Content-type: text/plain; charset=UTF-8
+Content-transfer-encoding: 8bit
+Git-commit: 34f1166afd67f9f48a08c52f36180048908506a4
+Patch-mainline: v4.19-rc4
+References: bsc#1051510
+
+In case a client fails to connect in mei_cldev_enable(), the
+caller won't call the mei_cldev_disable leaving the client
+in a linked stated. Upon driver unload the client structure
+will be freed in mei_cl_bus_dev_release(), leaving a stale pointer
+on a fail_list. This will eventually end up in crash
+during power down flow in mei_cl_set_disonnected().
+
+Rip: mei_cl_set_disconnected+0x5/0x260[mei]
+Call trace:
+mei_cl_all_disconnect+0x22/0x30
+mei_reset+0x194/0x250
+__synchronize_hardirq+0x43/0x50
+_cond_resched+0x15/0x30
+mei_me_intr_clear+0x20/0x100
+mei_stop+0x76/0xb0
+mei_me_shutdown+0x3f/0x80
+pci_device_shutdown+0x34/0x60
+kernel_restart+0x0e/0x30
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200455
+Fixes: 'c110cdb17148 ("mei: bus: make a client pointer always available")'
+Cc: <stable@vger.kernel.org> 4.10+
+Tested-by: Georg Müller <georgmueller@gmx.net>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-by: Takashi Iwai <tiwai@suse.de>
+
+---
+ drivers/misc/mei/bus.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/drivers/misc/mei/bus.c
++++ b/drivers/misc/mei/bus.c
+@@ -465,17 +465,15 @@ int mei_cldev_enable(struct mei_cl_devic
+
+ cl = cldev->cl;
+
++ mutex_lock(&bus->device_lock);
+ if (cl->state == MEI_FILE_UNINITIALIZED) {
+- mutex_lock(&bus->device_lock);
+ ret = mei_cl_link(cl);
+- mutex_unlock(&bus->device_lock);
+ if (ret)
+- return ret;
++ goto out;
+ /* update pointers */
+ cl->cldev = cldev;
+ }
+
+- mutex_lock(&bus->device_lock);
+ if (mei_cl_is_connected(cl)) {
+ ret = 0;
+ goto out;
+@@ -841,12 +839,13 @@ static void mei_cl_bus_dev_release(struc
+
+ mei_me_cl_put(cldev->me_cl);
+ mei_dev_bus_put(cldev->bus);
++ mei_cl_unlink(cldev->cl);
+ kfree(cldev->cl);
+ kfree(cldev);
+ }
+
+ static struct device_type mei_cl_device_type = {
+- .release = mei_cl_bus_dev_release,
++ .release = mei_cl_bus_dev_release,
+ };
+
+ /**
diff --git a/series.conf b/series.conf
index 0946f3145f..8d9ca99553 100644
--- a/series.conf
+++ b/series.conf
@@ -19183,6 +19183,7 @@
patches.drm/drm-i915-overlay-Allocate-physical-registers-from-st.patch
patches.drm/0001-drm-amdgpu-fix-error-handling-in-amdgpu_cs_user_fenc.patch
patches.drivers/mei-ignore-not-found-client-in-the-enumeration.patch
+ patches.drivers/mei-bus-need-to-unlink-client-before-freeing.patch
patches.suse/msft-hv-1753-Tools-hv-Fix-a-bug-in-the-key-delete-code.patch
patches.drivers/misc-hmc6352-fix-potential-Spectre-v1.patch
patches.suse/msft-hv-1754-vmbus-don-t-return-values-for-uninitalized-channels.patch