]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commitdiff
HID: intel-ish-hid: avoid binding wrong ishtp_cl_device
authorHong Liu <hong.liu@intel.com>
Tue, 12 Feb 2019 12:05:20 +0000 (20:05 +0800)
committerKleber Sacilotto de Souza <kleber.souza@canonical.com>
Wed, 14 Aug 2019 09:18:49 +0000 (11:18 +0200)
BugLink: https://bugs.launchpad.net/bugs/1838116
[ Upstream commit 0d28f49412405d87d3aae83da255070a46e67627 ]

When performing a warm reset in ishtp bus driver, the ishtp_cl_device
will not be removed, its fw_client still points to the already freed
ishtp_device.fw_clients array.

Later after driver finishing ishtp client enumeration, this dangling
pointer may cause driver to bind the wrong ishtp_cl_device to the new
client, causing wrong callback to be called for messages intended for
the new client.

This helps in development of firmware where frequent switching of
firmwares is required without Linux reboot.

Signed-off-by: Hong Liu <hong.liu@intel.com>
Tested-by: Hongyan Song <hongyan.song@intel.com>
Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>
drivers/hid/intel-ish-hid/ishtp/bus.c

index 2623a567ffba5ae51e90653e47bea42127ea9b02..f546635e9ac9daf26d2de2984fb2972e69781a9f 100644 (file)
@@ -623,7 +623,8 @@ int ishtp_cl_device_bind(struct ishtp_cl *cl)
        spin_lock_irqsave(&cl->dev->device_list_lock, flags);
        list_for_each_entry(cl_device, &cl->dev->device_list,
                        device_link) {
-               if (cl_device->fw_client->client_id == cl->fw_client_id) {
+               if (cl_device->fw_client &&
+                   cl_device->fw_client->client_id == cl->fw_client_id) {
                        cl->device = cl_device;
                        rv = 0;
                        break;
@@ -683,6 +684,7 @@ void ishtp_bus_remove_all_clients(struct ishtp_device *ishtp_dev,
        spin_lock_irqsave(&ishtp_dev->device_list_lock, flags);
        list_for_each_entry_safe(cl_device, n, &ishtp_dev->device_list,
                                 device_link) {
+               cl_device->fw_client = NULL;
                if (warm_reset && cl_device->reference_count)
                        continue;