Linux kernel source tree https://git.amat.us/linux/atom/drivers/misc?h=v3.12.14 2014-03-05T16:13:49Z 2014-03-05T16:13:49Z Chao Bi chao.bi@intel.com 2014-02-12T19:27:25Z urn:sha1:e4df71a87ab45902153c799a9873758ef87040b0 commit accb884b32e82f943340688c9cd30290531e73e0 upstream. In mei_cl_read_start(), if it fails to send flow control request, it will release "cl->read_cb" but forget to set pointer to NULL, leaving "cl->read_cb" still pointing to random memory, next time this client is operated like mei_release(), it has chance to refer to this wrong pointer. Fixes: PANIC at kfree in mei_release() [228781.826904] Call Trace: [228781.829737] [<c16249b8>] ? mei_cl_unlink+0x48/0xa0 [228781.835283] [<c1624487>] mei_io_cb_free+0x17/0x30 [228781.840733] [<c16265d8>] mei_release+0xa8/0x180 [228781.845989] [<c135c610>] ? __fsnotify_parent+0xa0/0xf0 [228781.851925] [<c1325a69>] __fput+0xd9/0x200 [228781.856696] [<c1325b9d>] ____fput+0xd/0x10 [228781.861467] [<c125cae1>] task_work_run+0x81/0xb0 [228781.866821] [<c1242e53>] do_exit+0x283/0xa00 [228781.871786] [<c1a82b36>] ? kprobe_flush_task+0x66/0xc0 [228781.877722] [<c124eeb8>] ? __dequeue_signal+0x18/0x1a0 [228781.883657] [<c124f072>] ? dequeue_signal+0x32/0x190 [228781.889397] [<c1243744>] do_group_exit+0x34/0xa0 [228781.894750] [<c12517b6>] get_signal_to_deliver+0x206/0x610 [228781.901075] [<c12018d8>] do_signal+0x38/0x100 [228781.906136] [<c1626d1c>] ? mei_read+0x42c/0x4e0 [228781.911393] [<c12600a0>] ? wake_up_bit+0x30/0x30 [228781.916745] [<c16268f0>] ? mei_poll+0x120/0x120 [228781.922001] [<c1324be9>] ? vfs_read+0x89/0x160 [228781.927158] [<c16268f0>] ? mei_poll+0x120/0x120 [228781.932414] [<c133ca34>] ? fget_light+0x44/0xe0 [228781.937670] [<c1324e58>] ? SyS_read+0x68/0x80 [228781.942730] [<c12019f5>] do_notify_resume+0x55/0x70 [228781.948376] [<c1a7de5d>] work_notifysig+0x29/0x30 [228781.953827] [<c1a70000>] ? bad_area+0x5/0x3e Signed-off-by: Chao Bi <chao.bi@intel.com> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Jiri Slaby <jslaby@suse.cz> 2014-02-22T21:32:27Z Alexander Usyskin alexander.usyskin@intel.com 2014-01-27T20:27:24Z urn:sha1:1a1d81ccf47de68b59c798cb7448e655a59372bc commit 5cb906c7035f03a3a44fecece9d3ff8fcc75d6e0 upstream. Don't set read callback to NULL during reset as this leads to memory leak of both cb and its buffer. The memory is correctly freed during mei_release. The memory leak is detectable by kmemleak if application has open read call while system is going through suspend/resume. unreferenced object 0xecead780 (size 64): comm "AsyncTask #1", pid 1018, jiffies 4294949621 (age 152.440s) hex dump (first 32 bytes): 00 01 10 00 00 02 20 00 00 bf 30 f1 00 00 00 00 ...... ...0..... 00 00 00 00 00 00 00 00 36 01 00 00 00 70 da e2 ........6....p.. backtrace: [<c1a60aec>] kmemleak_alloc+0x3c/0xa0 [<c131ed56>] kmem_cache_alloc_trace+0xc6/0x190 [<c16243c9>] mei_io_cb_init+0x29/0x50 [<c1625722>] mei_cl_read_start+0x102/0x360 [<c16268f3>] mei_read+0x103/0x4e0 [<c1324b09>] vfs_read+0x89/0x160 [<c1324d5f>] SyS_read+0x4f/0x80 [<c1a7b318>] syscall_call+0x7/0xb [<ffffffff>] 0xffffffff unreferenced object 0xe2da7000 (size 512): comm "AsyncTask #1", pid 1018, jiffies 4294949621 (age 152.440s) hex dump (first 32 bytes): 00 6c da e2 7c 00 00 00 00 00 00 00 c0 eb 0c 59 .l..|..........Y 1b 00 00 00 01 00 00 00 02 10 00 00 01 00 00 00 ................ backtrace: [<c1a60aec>] kmemleak_alloc+0x3c/0xa0 [<c131f127>] __kmalloc+0xe7/0x1d0 [<c162447e>] mei_io_cb_alloc_resp_buf+0x2e/0x60 [<c162574c>] mei_cl_read_start+0x12c/0x360 [<c16268f3>] mei_read+0x103/0x4e0 [<c1324b09>] vfs_read+0x89/0x160 [<c1324d5f>] SyS_read+0x4f/0x80 [<c1a7b318>] syscall_call+0x7/0xb [<ffffffff>] 0xffffffff Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2014-02-22T21:32:27Z Alexander Usyskin alexander.usyskin@intel.com 2014-01-27T20:27:23Z urn:sha1:cb2a6e8a6e423b1424fdd792640943a53a3d70f3 commit 30c54df7cb9b15b222529a028390b9c9582dd65e upstream. Clear write callbacks sitting in write_waiting list on reset. Otherwise these callbacks are left dangling and cause memory leak. Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2014-02-13T21:50:18Z Paul Bolle pebolle@tiscali.nl 2014-02-06T21:53:29Z urn:sha1:13f048657763363335d585ec5ffc1212df77bc97 Building hbm.o for v3.13.2 triggers a GCC warning: drivers/misc/mei/hbm.c: In function 'mei_hbm_dispatch': drivers/misc/mei/hbm.c:596:3: warning: 'return' with a value, in function returning void [enabled by default] return 0; ^ GCC is correct, obviously. So let's return void instead of zero here. Signed-off-by: Paul Bolle <pebolle@tiscali.nl> Acked-by: Tomas Winkler <tomas.winkler@intel.com> Cc: Alexander Usyskin <alexander.usyskin@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2014-02-06T19:22:17Z Tomas Winkler tomas.winkler@intel.com 2014-01-08T18:19:22Z urn:sha1:c0121cc1144c36a651d1528b4579413f078934cf commit 66ae460b13c31a176b41550259683c841a62af3e upstream. When reset is caused by hbm protocol mismatch or timeout we might end up in an endless reset loop and hbm protocol will never sync Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-12-12T06:37:55Z Tomas Winkler tomas.winkler@intel.com 2013-12-05T07:34:44Z urn:sha1:003bd1d4842bb9a34cbd1513e19183e94323931f commit 76a9635979e543f04a5885198e68ff28e3311b67 upstream. And Lynx Point H Refresh and Wildcat Point LP device ids. Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-12-12T06:37:55Z Tomas Winkler tomas.winkler@intel.com 2013-10-16T09:09:43Z urn:sha1:56c4c4c9a6c972c45501ea5ae6852563b08bfd2b commit 838b3a6d62413b336f3dde15ecff161070358957 upstream. add missing device id for LPT based work station Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-12-12T06:37:53Z James Bottomley JBottomley@Parallels.com 2013-11-15T22:58:00Z urn:sha1:ccdc5fa75e43f67b006f63e26a551eefa4b0fb96 commit a1470c7bf3a4676e62e4c0fb204e339399eb5c59 upstream. Bug report from: wenxiong@linux.vnet.ibm.com The issue is happened in dual controller configuration. We got the sysfs warnings when rmmod the ipr module. enclosure_unregister() in drivers/msic/enclosure.c, call device_unregister() for each componment deivce, device_unregister() ->device_del()->kobject_del() ->sysfs_remove_dir(). In sysfs_remove_dir(), set kobj->sd = NULL. For each componment device, enclosure_component_release()->enclosure_remove_links()->sysfs_remove_link() in which checking kobj->sd again, it has been set as NULL when doing device_unregister. So we saw all these sysfs WARNING. Tested-by: wenxiong@linux.vnet.ibm.com Signed-off-by: James Bottomley <JBottomley@Parallels.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-11-29T19:28:09Z Tomas Winkler tomas.winkler@intel.com 2013-10-21T19:05:38Z urn:sha1:a58c56c06df7d78317fb330a1677e93c46566de9 commit 4bff7208f332b2b1d7cf1338e50527441283a198 upstream. The flow may reach the err label without freeing cl and cl_info cl and cl_info weren't assigned to ndev->cl and cl_info so they weren't freed in mei_nfc_free called on error path Cc: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-11-29T19:27:56Z Kees Cook keescook@chromium.org 2013-10-25T01:05:42Z urn:sha1:5bb21134853f6dc7bc16c7fcb24470e8676a3c54 commit 629c66a22c21b692b6e58b9c1d8fa56a60ccb52d upstream. When tests were added to lkdtm that grew the stack frame, the stack corruption test stopped working. This isolates the test in its own function, and forces it not to be inlined. Signed-off-by: Kees Cook <keescook@chromium.org> Fixes: cc33c537c12f ("lkdtm: add "EXEC_*" triggers") Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>