This is a note to let you know that I've just added the patch titled mei: fix NULL dereferencing during FW initiated disconnection to the 4.5-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: mei-fix-null-dereferencing-during-fw-initiated-disconnection.patch and it can be found in the queue-4.5 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 6a8d648c8d1824117a9e9edb948ed1611fb013c0 Mon Sep 17 00:00:00 2001 From: Alexander Usyskin <alexander.usyskin@xxxxxxxxx> Date: Sun, 17 Apr 2016 12:16:03 -0400 Subject: mei: fix NULL dereferencing during FW initiated disconnection From: Alexander Usyskin <alexander.usyskin@xxxxxxxxx> commit 6a8d648c8d1824117a9e9edb948ed1611fb013c0 upstream. In the case when disconnection is initiated from the FW the driver is flushing items from the write control list while iterating over it: mei_irq_write_handler() list_for_each_entry_safe(ctrl_wr_list) <-- outer loop mei_cl_irq_disconnect_rsp() mei_cl_set_disconnected() mei_io_list_flush(ctrl_wr_list) <-- destorying list We move the list flushing to the completion routine. Signed-off-by: Alexander Usyskin <alexander.usyskin@xxxxxxxxx> Signed-off-by: Tomas Winkler <tomas.winkler@xxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/misc/mei/client.c | 4 ++++ drivers/misc/mei/hbm.c | 3 +-- drivers/misc/mei/interrupt.c | 5 +---- 3 files changed, 6 insertions(+), 6 deletions(-) --- a/drivers/misc/mei/client.c +++ b/drivers/misc/mei/client.c @@ -1735,6 +1735,10 @@ void mei_cl_complete(struct mei_cl *cl, wake_up(&cl->wait); break; + case MEI_FOP_DISCONNECT_RSP: + mei_io_cb_free(cb); + mei_cl_set_disconnected(cl); + break; default: BUG_ON(0); } --- a/drivers/misc/mei/hbm.c +++ b/drivers/misc/mei/hbm.c @@ -873,8 +873,7 @@ static int mei_hbm_fw_disconnect_req(str cb = mei_io_cb_init(cl, MEI_FOP_DISCONNECT_RSP, NULL); if (!cb) return -ENOMEM; - cl_dbg(dev, cl, "add disconnect response as first\n"); - list_add(&cb->list, &dev->ctrl_wr_list.list); + list_add_tail(&cb->list, &dev->ctrl_wr_list.list); } return 0; } --- a/drivers/misc/mei/interrupt.c +++ b/drivers/misc/mei/interrupt.c @@ -184,10 +184,7 @@ static int mei_cl_irq_disconnect_rsp(str return -EMSGSIZE; ret = mei_hbm_cl_disconnect_rsp(dev, cl); - mei_cl_set_disconnected(cl); - mei_io_cb_free(cb); - mei_me_cl_put(cl->me_cl); - cl->me_cl = NULL; + list_move_tail(&cb->list, &cmpl_list->list); return ret; } Patches currently in stable-queue which might be from alexander.usyskin@xxxxxxxxx are queue-4.5/mei-fix-null-dereferencing-during-fw-initiated-disconnection.patch queue-4.5/mei-amthif-discard-not-read-messages.patch queue-4.5/mei-bus-call-mei_cl_read_start-under-device-lock.patch -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html