linux/drivers/misc
Chao Bi accb884b32 mei: set client's read_cb to NULL when flow control fails
In mei_cl_read_start(), if it fails to send flow control request, it
will release "cl->read_cb" but forget to set pointer to NULL, leaving
"cl->read_cb" still pointing to random memory, next time this client is
operated like mei_release(), it has chance to refer to this wrong pointer.

Fixes:  PANIC at kfree in mei_release()

[228781.826904] Call Trace:
[228781.829737]  [<c16249b8>] ? mei_cl_unlink+0x48/0xa0
[228781.835283]  [<c1624487>] mei_io_cb_free+0x17/0x30
[228781.840733]  [<c16265d8>] mei_release+0xa8/0x180
[228781.845989]  [<c135c610>] ? __fsnotify_parent+0xa0/0xf0
[228781.851925]  [<c1325a69>] __fput+0xd9/0x200
[228781.856696]  [<c1325b9d>] ____fput+0xd/0x10
[228781.861467]  [<c125cae1>] task_work_run+0x81/0xb0
[228781.866821]  [<c1242e53>] do_exit+0x283/0xa00
[228781.871786]  [<c1a82b36>] ? kprobe_flush_task+0x66/0xc0
[228781.877722]  [<c124eeb8>] ? __dequeue_signal+0x18/0x1a0
[228781.883657]  [<c124f072>] ? dequeue_signal+0x32/0x190
[228781.889397]  [<c1243744>] do_group_exit+0x34/0xa0
[228781.894750]  [<c12517b6>] get_signal_to_deliver+0x206/0x610
[228781.901075]  [<c12018d8>] do_signal+0x38/0x100
[228781.906136]  [<c1626d1c>] ? mei_read+0x42c/0x4e0
[228781.911393]  [<c12600a0>] ? wake_up_bit+0x30/0x30
[228781.916745]  [<c16268f0>] ? mei_poll+0x120/0x120
[228781.922001]  [<c1324be9>] ? vfs_read+0x89/0x160
[228781.927158]  [<c16268f0>] ? mei_poll+0x120/0x120
[228781.932414]  [<c133ca34>] ? fget_light+0x44/0xe0
[228781.937670]  [<c1324e58>] ? SyS_read+0x68/0x80
[228781.942730]  [<c12019f5>] do_notify_resume+0x55/0x70
[228781.948376]  [<c1a7de5d>] work_notifysig+0x29/0x30
[228781.953827]  [<c1a70000>] ? bad_area+0x5/0x3e

Cc: stable <stable@vger.kernel.org> # 3.9+
Signed-off-by: Chao Bi <chao.bi@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-02-18 10:07:36 -08:00
..
altera-stapl
c2port c2port: convert class code to use bin_attrs in groups 2013-07-24 15:39:05 -07:00
carma Merge branch 'next' of git://git.infradead.org/users/vkoul/slave-dma 2013-11-20 13:20:24 -08:00
cb710 mmc: cb710: drop free_irq for devm_request_irq allocated irq 2013-09-26 13:55:30 -07:00
eeprom Revert "misc: eeprom: sunxi: Add new compatibles" 2014-02-14 11:16:08 -08:00
genwqe misc: genwqe: Fix potential memory leak when pinning memory 2014-02-07 15:24:31 -08:00
ibmasm misc: ibmasm: remove unnecessary pci_set_drvdata() 2013-09-26 09:13:54 -07:00
lis3lv02d misc: replace strict_strtoul() with kstrtoul() 2013-06-06 12:54:08 -07:00
mei mei: set client's read_cb to NULL when flow control fails 2014-02-18 10:07:36 -08:00
mic misc: mic: fix possible signed underflow (undefined behavior) in userspace API 2014-02-07 15:30:34 -08:00
sgi-gru drivers/misc/sgi-gru/grukdump.c: unlocking should be conditional in gru_dump_context() 2014-02-10 16:01:39 -08:00
sgi-xp sgi-xp: open-code interruptible_sleep_on_timeout 2014-01-08 15:18:02 -08:00
ti-st drivers/misc/ti-st: Prefer tty_driver_flush_buffer 2013-12-04 20:23:51 -08:00
vmw_vmci VMCI: fix error handling path when registering guest driver 2014-01-09 16:16:15 -08:00
ad525x_dpot-i2c.c
ad525x_dpot-spi.c
ad525x_dpot.c drivers: misc: Mark functions as static in ad525x_dpot.c 2013-12-18 16:41:52 -08:00
ad525x_dpot.h
apds990x.c misc: replace strict_strtoul() with kstrtoul() 2013-06-06 12:54:08 -07:00
apds9802als.c misc: replace strict_strtoul() with kstrtoul() 2013-06-06 12:54:08 -07:00
arm-charlcd.c misc: arm-charlcd: remove deprecated IRQF_DISABLED 2013-10-16 12:36:10 -07:00
atmel_pwm.c misc: atmel_pwm: add deferred-probing support 2013-10-29 16:22:57 -07:00
atmel_tclib.c
atmel-ssc.c Merge 3.11-rc3 into char-misc-next. 2013-07-29 11:50:17 -07:00
bh1770glc.c misc: replace strict_strtoul() with kstrtoul() 2013-06-06 12:54:08 -07:00
bh1780gli.c misc: bh1780: probe from compatible string 2013-10-03 16:02:35 -07:00
bmp085-i2c.c misc: bmp085: Clean up and enable use of interrupt for completion. 2013-12-04 20:23:51 -08:00
bmp085-spi.c misc: bmp085: Clean up and enable use of interrupt for completion. 2013-12-04 20:23:51 -08:00
bmp085.c misc: bmp085: Clean up and enable use of interrupt for completion. 2013-12-04 20:23:51 -08:00
bmp085.h misc: bmp085: Clean up and enable use of interrupt for completion. 2013-12-04 20:23:51 -08:00
cs5535-mfgpt.c
ds1682.c
dummy-irq.c treewide: Fix typo in printk 2013-05-28 12:02:13 +02:00
enclosure.c [SCSI] enclosure: fix WARN_ON in dual path device removing 2013-12-02 11:13:14 -08:00
fsa9480.c treewide: fix comments and printk msgs 2014-01-07 15:06:07 +01:00
hmc6352.c misc: replace strict_strtoul() with kstrtoul() 2013-06-06 12:54:08 -07:00
hpilo.c drivers/misc/hpilo: Correct panic when an AUX iLO is detected 2013-08-14 14:46:22 -07:00
hpilo.h
ics932s401.c hwmon: Change my email address. 2013-08-27 08:28:01 -07:00
ioc4.c
isl29003.c misc: replace strict_strtoul() with kstrtoul() 2013-06-06 12:54:08 -07:00
isl29020.c misc: replace strict_strtoul() with kstrtoul() 2013-06-06 12:54:08 -07:00
Kconfig GenWQE Enable driver 2013-12-18 16:51:15 -08:00
kgdbts.c
lattice-ecp3-config.c treewide: Fix typo in printk 2013-05-28 12:02:13 +02:00
lkdtm.c drivers: misc: Mark function jp_generic_ide_ioctl() as static in lkdtm.c 2013-12-18 16:41:52 -08:00
Makefile GenWQE Enable driver 2013-12-18 16:51:15 -08:00
pch_phub.c pch_phub: fix error return code in pch_phub_probe() 2013-06-06 12:54:08 -07:00
phantom.c misc: phantom: remove deprecated IRQF_DISABLED 2013-10-16 12:36:10 -07:00
pti.c misc: pti: remove unnecessary pci_set_drvdata() 2013-09-26 09:13:54 -07:00
spear13xx_pcie_gadget.c misc: replace strict_strtoul() with kstrtoul() 2013-06-06 12:54:08 -07:00
sram.c misc: sram: fix error path in sram_probe 2013-07-24 22:54:50 -07:00
ti_dac7512.c drivers: misc: ti_dac7512: add support for DT matching 2013-09-26 09:04:06 -07:00
tifm_7xx1.c tifm: fix error return code in tifm_7xx1_probe() 2013-10-30 10:19:30 -07:00
tifm_core.c tifm: convert bus code to use dev_groups 2013-10-16 18:40:58 -07:00
tsl2550.c Drivers: Misc: tsl2250: fix warnings, unsigned long will never < 0 2013-05-16 18:11:12 -07:00
vmw_balloon.c misc: vmw_balloon: Remove braces to fix build for clang. 2013-08-27 21:51:21 -07:00