All of lore.kernel.org
 help / color / mirror / Atom feed
* [char-misc-next 0/3] mei: bus: null derefence in rx
@ 2020-10-29  9:54 Tomas Winkler
  2020-10-29  9:54 ` [char-misc-next 1/3] mei: protect mei_cl_mtu from null dereference Tomas Winkler
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Tomas Winkler @ 2020-10-29  9:54 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: Alexander Usyskin, linux-kernel, Tomas Winkler

Fix race in receive callback for drivers on me client
bus, that results in null dereferencing and improve 
the error handling.
The first patch 'mei: protect mei_cl_mtu from null dereference'
itself is sufficient to prevent the failure and is intended
for stable.


Alexander Usyskin (3):
  mei: protect mei_cl_mtu from null dereference
  mei: bus: do not start a read for disconnected clients
  mei: bus: deinitialize callback functions on init failure

 drivers/misc/mei/bus.c    | 18 ++++++++++++++----
 drivers/misc/mei/client.h |  4 ++--
 2 files changed, 16 insertions(+), 6 deletions(-)

-- 
2.25.4


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [char-misc-next 1/3] mei: protect mei_cl_mtu from null dereference
  2020-10-29  9:54 [char-misc-next 0/3] mei: bus: null derefence in rx Tomas Winkler
@ 2020-10-29  9:54 ` Tomas Winkler
  2020-10-29  9:54 ` [char-misc-next 2/3] mei: bus: do not start a read for disconnected clients Tomas Winkler
  2020-10-29  9:54 ` [char-misc-next 3/3] mei: bus: deinitialize callback functions on init failure Tomas Winkler
  2 siblings, 0 replies; 4+ messages in thread
From: Tomas Winkler @ 2020-10-29  9:54 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: Alexander Usyskin, linux-kernel, stable, Tomas Winkler

From: Alexander Usyskin <alexander.usyskin@intel.com>

A receive callback is queued while the client is still connected
but can still be called after the client was disconnected. Upon
disconnect cl->me_cl is set to NULL, hence we need to check
that ME client is not-NULL in mei_cl_mtu to avoid
null dereference.

Cc: <stable@vger.kernel.org>
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
---
 drivers/misc/mei/client.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/misc/mei/client.h b/drivers/misc/mei/client.h
index 64143d4ec758..9e08a9843bba 100644
--- a/drivers/misc/mei/client.h
+++ b/drivers/misc/mei/client.h
@@ -182,11 +182,11 @@ static inline u8 mei_cl_me_id(const struct mei_cl *cl)
  *
  * @cl: host client
  *
- * Return: mtu
+ * Return: mtu or 0 if client is not connected
  */
 static inline size_t mei_cl_mtu(const struct mei_cl *cl)
 {
-	return cl->me_cl->props.max_msg_length;
+	return cl->me_cl ? cl->me_cl->props.max_msg_length : 0;
 }
 
 /**
-- 
2.25.4


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [char-misc-next 2/3] mei: bus: do not start a read for disconnected clients
  2020-10-29  9:54 [char-misc-next 0/3] mei: bus: null derefence in rx Tomas Winkler
  2020-10-29  9:54 ` [char-misc-next 1/3] mei: protect mei_cl_mtu from null dereference Tomas Winkler
@ 2020-10-29  9:54 ` Tomas Winkler
  2020-10-29  9:54 ` [char-misc-next 3/3] mei: bus: deinitialize callback functions on init failure Tomas Winkler
  2 siblings, 0 replies; 4+ messages in thread
From: Tomas Winkler @ 2020-10-29  9:54 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: Alexander Usyskin, linux-kernel, Tomas Winkler

From: Alexander Usyskin <alexander.usyskin@intel.com>

Avoid queuing reads and registering rx callbacks in
case the client is not connected, to prevent null
dereferencing and memory leaks.

Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
---
 drivers/misc/mei/bus.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/misc/mei/bus.c b/drivers/misc/mei/bus.c
index 9cdaa7f3af23..1a54bf3ed0c3 100644
--- a/drivers/misc/mei/bus.c
+++ b/drivers/misc/mei/bus.c
@@ -276,7 +276,8 @@ static void mei_cl_bus_rx_work(struct work_struct *work)
 		cldev->rx_cb(cldev);
 
 	mutex_lock(&bus->device_lock);
-	mei_cl_read_start(cldev->cl, mei_cl_mtu(cldev->cl), NULL);
+	if (mei_cl_is_connected(cldev->cl))
+		mei_cl_read_start(cldev->cl, mei_cl_mtu(cldev->cl), NULL);
 	mutex_unlock(&bus->device_lock);
 }
 
@@ -364,7 +365,10 @@ int mei_cldev_register_rx_cb(struct mei_cl_device *cldev, mei_cldev_cb_t rx_cb)
 	INIT_WORK(&cldev->rx_work, mei_cl_bus_rx_work);
 
 	mutex_lock(&bus->device_lock);
-	ret = mei_cl_read_start(cldev->cl, mei_cl_mtu(cldev->cl), NULL);
+	if (mei_cl_is_connected(cldev->cl))
+		ret = mei_cl_read_start(cldev->cl, mei_cl_mtu(cldev->cl), NULL);
+	else
+		ret = -ENODEV;
 	mutex_unlock(&bus->device_lock);
 	if (ret && ret != -EBUSY)
 		return ret;
-- 
2.25.4


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [char-misc-next 3/3] mei: bus: deinitialize callback functions on init failure
  2020-10-29  9:54 [char-misc-next 0/3] mei: bus: null derefence in rx Tomas Winkler
  2020-10-29  9:54 ` [char-misc-next 1/3] mei: protect mei_cl_mtu from null dereference Tomas Winkler
  2020-10-29  9:54 ` [char-misc-next 2/3] mei: bus: do not start a read for disconnected clients Tomas Winkler
@ 2020-10-29  9:54 ` Tomas Winkler
  2 siblings, 0 replies; 4+ messages in thread
From: Tomas Winkler @ 2020-10-29  9:54 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: Alexander Usyskin, linux-kernel, Tomas Winkler

From: Alexander Usyskin <alexander.usyskin@intel.com>

If the initialization procedure for receive or receive callback
registration on the client bus has failed the caller can't re-run it.
Deinitilize the callback pointers and cancel the work
to allow the caller to retry.

Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
---
 drivers/misc/mei/bus.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/misc/mei/bus.c b/drivers/misc/mei/bus.c
index 1a54bf3ed0c3..76aa0e93748a 100644
--- a/drivers/misc/mei/bus.c
+++ b/drivers/misc/mei/bus.c
@@ -370,8 +370,11 @@ int mei_cldev_register_rx_cb(struct mei_cl_device *cldev, mei_cldev_cb_t rx_cb)
 	else
 		ret = -ENODEV;
 	mutex_unlock(&bus->device_lock);
-	if (ret && ret != -EBUSY)
+	if (ret && ret != -EBUSY) {
+		cancel_work_sync(&cldev->rx_work);
+		cldev->rx_cb = NULL;
 		return ret;
+	}
 
 	return 0;
 }
@@ -405,8 +408,11 @@ int mei_cldev_register_notif_cb(struct mei_cl_device *cldev,
 	mutex_lock(&bus->device_lock);
 	ret = mei_cl_notify_request(cldev->cl, NULL, 1);
 	mutex_unlock(&bus->device_lock);
-	if (ret)
+	if (ret) {
+		cancel_work_sync(&cldev->notif_work);
+		cldev->notif_cb = NULL;
 		return ret;
+	}
 
 	return 0;
 }
-- 
2.25.4


^ permalink raw reply related	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-10-29  9:55 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-29  9:54 [char-misc-next 0/3] mei: bus: null derefence in rx Tomas Winkler
2020-10-29  9:54 ` [char-misc-next 1/3] mei: protect mei_cl_mtu from null dereference Tomas Winkler
2020-10-29  9:54 ` [char-misc-next 2/3] mei: bus: do not start a read for disconnected clients Tomas Winkler
2020-10-29  9:54 ` [char-misc-next 3/3] mei: bus: deinitialize callback functions on init failure Tomas Winkler

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.