From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 19 Aug 2020 10:28:52 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v4.14.194~61
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=07814cbd8bce21211b33e1d43337642557d4ac68;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	pci-hotplug-acpi-fix-context-refcounting-in-acpiphp_grab_context.patch
---

diff --git a/queue-4.4/pci-hotplug-acpi-fix-context-refcounting-in-acpiphp_grab_context.patch b/queue-4.4/pci-hotplug-acpi-fix-context-refcounting-in-acpiphp_grab_context.patch
new file mode 100644
index 00000000000..c2b7656cb6b
--- /dev/null
+++ b/queue-4.4/pci-hotplug-acpi-fix-context-refcounting-in-acpiphp_grab_context.patch
@@ -0,0 +1,51 @@
+From dae68d7fd4930315389117e9da35b763f12238f9 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Fri, 26 Jun 2020 19:42:34 +0200
+Subject: PCI: hotplug: ACPI: Fix context refcounting in acpiphp_grab_context()
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit dae68d7fd4930315389117e9da35b763f12238f9 upstream.
+
+If context is not NULL in acpiphp_grab_context(), but the
+is_going_away flag is set for the device's parent, the reference
+counter of the context needs to be decremented before returning
+NULL or the context will never be freed, so make that happen.
+
+Fixes: edf5bf34d408 ("ACPI / dock: Use callback pointers from devices' ACPI hotplug contexts")
+Reported-by: Vasily Averin <vvs@virtuozzo.com>
+Cc: 3.15+ <stable@vger.kernel.org> # 3.15+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/hotplug/acpiphp_glue.c |   14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/pci/hotplug/acpiphp_glue.c
++++ b/drivers/pci/hotplug/acpiphp_glue.c
+@@ -136,13 +136,21 @@ static struct acpiphp_context *acpiphp_g
+ 	struct acpiphp_context *context;
+ 
+ 	acpi_lock_hp_context();
++
+ 	context = acpiphp_get_context(adev);
+-	if (!context || context->func.parent->is_going_away) {
+-		acpi_unlock_hp_context();
+-		return NULL;
++	if (!context)
++		goto unlock;
++
++	if (context->func.parent->is_going_away) {
++		acpiphp_put_context(context);
++		context = NULL;
++		goto unlock;
+ 	}
++
+ 	get_bridge(context->func.parent);
+ 	acpiphp_put_context(context);
++
++unlock:
+ 	acpi_unlock_hp_context();
+ 	return context;
+ }
diff --git a/queue-4.4/series b/queue-4.4/series
index d7f33056d8f..ee306eedebb 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -117,3 +117,4 @@ parisc-mask-out-enable-and-reserved-bits-from-sba-imask.patch
 arm-8992-1-fix-unwind_frame-for-clang-built-kernels.patch
 xen-balloon-fix-accounting-in-alloc_xenballooned_pages-error-path.patch
 xen-balloon-make-the-balloon-wait-interruptible.patch
+pci-hotplug-acpi-fix-context-refcounting-in-acpiphp_grab_context.patch