--- /dev/null
+From 69ce3ae36dcb03cdf416b0862a45369ddbf50fdf Mon Sep 17 00:00:00 2001
+From: Anirudh Rayabharam <mail@anirudhrb.com>
+Date: Mon, 3 May 2021 13:57:12 +0200
+Subject: rapidio: handle create_workqueue() failure
+
+From: Anirudh Rayabharam <mail@anirudhrb.com>
+
+commit 69ce3ae36dcb03cdf416b0862a45369ddbf50fdf upstream.
+
+In case create_workqueue() fails, release all resources and return -ENOMEM
+to caller to avoid potential NULL pointer deref later. Move up the
+create_workequeue() call to return early and avoid unwinding the call to
+riocm_rx_fill().
+
+Cc: Alexandre Bounine <alex.bou9@gmail.com>
+Cc: Matt Porter <mporter@kernel.crashing.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
+Link: https://lore.kernel.org/r/20210503115736.2104747-46-gregkh@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rapidio/rio_cm.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/rapidio/rio_cm.c
++++ b/drivers/rapidio/rio_cm.c
+@@ -2127,6 +2127,14 @@ static int riocm_add_mport(struct device
+ return -ENODEV;
+ }
+
++ cm->rx_wq = create_workqueue(DRV_NAME "/rxq");
++ if (!cm->rx_wq) {
++ rio_release_inb_mbox(mport, cmbox);
++ rio_release_outb_mbox(mport, cmbox);
++ kfree(cm);
++ return -ENOMEM;
++ }
++
+ /*
+ * Allocate and register inbound messaging buffers to be ready
+ * to receive channel and system management requests
+@@ -2137,7 +2145,6 @@ static int riocm_add_mport(struct device
+ cm->rx_slots = RIOCM_RX_RING_SIZE;
+ mutex_init(&cm->rx_lock);
+ riocm_rx_fill(cm, RIOCM_RX_RING_SIZE);
+- cm->rx_wq = create_workqueue(DRV_NAME "/rxq");
+ INIT_WORK(&cm->rx_work, rio_ibmsg_handler);
+
+ cm->tx_slot = 0;
--- /dev/null
+From 5e68b86c7b7c059c0f0ec4bf8adabe63f84a61eb Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 3 May 2021 13:57:11 +0200
+Subject: Revert "rapidio: fix a NULL pointer dereference when create_workqueue() fails"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 5e68b86c7b7c059c0f0ec4bf8adabe63f84a61eb upstream.
+
+This reverts commit 23015b22e47c5409620b1726a677d69e5cd032ba.
+
+Because of recent interactions with developers from @umn.edu, all
+commits from them have been recently re-reviewed to ensure if they were
+correct or not.
+
+Upon review, this commit was found to be incorrect for the reasons
+below, so it must be reverted. It will be fixed up "correctly" in a
+later kernel change.
+
+The original commit has a memory leak on the error path here, it does
+not clean up everything properly.
+
+Cc: Kangjie Lu <kjlu@umn.edu>
+Cc: Alexandre Bounine <alex.bou9@gmail.com>
+Cc: Matt Porter <mporter@kernel.crashing.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Fixes: 23015b22e47c ("rapidio: fix a NULL pointer dereference when create_workqueue() fails")
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210503115736.2104747-45-gregkh@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rapidio/rio_cm.c | 8 --------
+ 1 file changed, 8 deletions(-)
+
+--- a/drivers/rapidio/rio_cm.c
++++ b/drivers/rapidio/rio_cm.c
+@@ -2138,14 +2138,6 @@ static int riocm_add_mport(struct device
+ mutex_init(&cm->rx_lock);
+ riocm_rx_fill(cm, RIOCM_RX_RING_SIZE);
+ cm->rx_wq = create_workqueue(DRV_NAME "/rxq");
+- if (!cm->rx_wq) {
+- riocm_error("failed to allocate IBMBOX_%d on %s",
+- cmbox, mport->name);
+- rio_release_outb_mbox(mport, cmbox);
+- kfree(cm);
+- return -ENOMEM;
+- }
+-
+ INIT_WORK(&cm->rx_work, rio_ibmsg_handler);
+
+ cm->tx_slot = 0;
--- /dev/null
+From 754f39158441f4c0d7a8255209dd9a939f08ce80 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 3 May 2021 13:56:32 +0200
+Subject: Revert "serial: mvebu-uart: Fix to avoid a potential NULL pointer dereference"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 754f39158441f4c0d7a8255209dd9a939f08ce80 upstream.
+
+This reverts commit 32f47179833b63de72427131169809065db6745e.
+
+Because of recent interactions with developers from @umn.edu, all
+commits from them have been recently re-reviewed to ensure if they were
+correct or not.
+
+Upon review, this commit was found to be not be needed at all as the
+change was useless because this function can only be called when
+of_match_device matched on something. So it should be reverted.
+
+Cc: Aditya Pakki <pakki001@umn.edu>
+Cc: stable <stable@vger.kernel.org>
+Fixes: 32f47179833b ("serial: mvebu-uart: Fix to avoid a potential NULL pointer dereference")
+Acked-by: Jiri Slaby <jirislaby@kernel.org>
+Link: https://lore.kernel.org/r/20210503115736.2104747-6-gregkh@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/mvebu-uart.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/tty/serial/mvebu-uart.c
++++ b/drivers/tty/serial/mvebu-uart.c
+@@ -818,9 +818,6 @@ static int mvebu_uart_probe(struct platf
+ return -EINVAL;
+ }
+
+- if (!match)
+- return -ENODEV;
+-
+ /* Assume that all UART ports have a DT alias or none has */
+ id = of_alias_get_id(pdev->dev.of_node, "serial");
+ if (!pdev->dev.of_node || id < 0)
alsa-hda-realtek-fix-silent-headphone-output-on-asus-ux430ua.patch
alsa-hda-realtek-add-fixup-for-hp-omen-laptop.patch
alsa-hda-realtek-add-fixup-for-hp-spectre-x360-15-df0xxx.patch
+uio_hv_generic-fix-a-memory-leak-in-error-handling-paths.patch
+revert-rapidio-fix-a-null-pointer-dereference-when-create_workqueue-fails.patch
+rapidio-handle-create_workqueue-failure.patch
+revert-serial-mvebu-uart-fix-to-avoid-a-potential-null-pointer-dereference.patch
--- /dev/null
+From 3ee098f96b8b6c1a98f7f97915f8873164e6af9d Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sun, 9 May 2021 09:13:03 +0200
+Subject: uio_hv_generic: Fix a memory leak in error handling paths
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit 3ee098f96b8b6c1a98f7f97915f8873164e6af9d upstream.
+
+If 'vmbus_establish_gpadl()' fails, the (recv|send)_gpadl will not be
+updated and 'hv_uio_cleanup()' in the error handling path will not be
+able to free the corresponding buffer.
+
+In such a case, we need to free the buffer explicitly.
+
+Fixes: cdfa835c6e5e ("uio_hv_generic: defer opening vmbus until first use")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/4fdaff557deef6f0475d02ba7922ddbaa1ab08a6.1620544055.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/uio/uio_hv_generic.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/uio/uio_hv_generic.c
++++ b/drivers/uio/uio_hv_generic.c
+@@ -296,8 +296,10 @@ hv_uio_probe(struct hv_device *dev,
+
+ ret = vmbus_establish_gpadl(channel, pdata->recv_buf,
+ RECV_BUFFER_SIZE, &pdata->recv_gpadl);
+- if (ret)
++ if (ret) {
++ vfree(pdata->recv_buf);
+ goto fail_close;
++ }
+
+ /* put Global Physical Address Label in name */
+ snprintf(pdata->recv_name, sizeof(pdata->recv_name),
+@@ -316,8 +318,10 @@ hv_uio_probe(struct hv_device *dev,
+
+ ret = vmbus_establish_gpadl(channel, pdata->send_buf,
+ SEND_BUFFER_SIZE, &pdata->send_gpadl);
+- if (ret)
++ if (ret) {
++ vfree(pdata->send_buf);
+ goto fail_close;
++ }
+
+ snprintf(pdata->send_name, sizeof(pdata->send_name),
+ "send:%u", pdata->send_gpadl);
projects / thirdparty / kernel / stable-queue.git / commitdiff
