From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 24 May 2021 09:58:23 +0000 (+0200)
Subject: 5.4-stable patches
X-Git-Tag: v4.4.270~48
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1d71a5ee5b7d396f9a19c8b169fe465f7042503a;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	rapidio-handle-create_workqueue-failure.patch
	revert-rapidio-fix-a-null-pointer-dereference-when-create_workqueue-fails.patch
	revert-serial-mvebu-uart-fix-to-avoid-a-potential-null-pointer-dereference.patch
	uio_hv_generic-fix-a-memory-leak-in-error-handling-paths.patch
---

diff --git a/queue-5.4/rapidio-handle-create_workqueue-failure.patch b/queue-5.4/rapidio-handle-create_workqueue-failure.patch
new file mode 100644
index 00000000000..a447a114008
--- /dev/null
+++ b/queue-5.4/rapidio-handle-create_workqueue-failure.patch
@@ -0,0 +1,51 @@
+From 69ce3ae36dcb03cdf416b0862a45369ddbf50fdf Mon Sep 17 00:00:00 2001
+From: Anirudh Rayabharam <mail@anirudhrb.com>
+Date: Mon, 3 May 2021 13:57:12 +0200
+Subject: rapidio: handle create_workqueue() failure
+
+From: Anirudh Rayabharam <mail@anirudhrb.com>
+
+commit 69ce3ae36dcb03cdf416b0862a45369ddbf50fdf upstream.
+
+In case create_workqueue() fails, release all resources and return -ENOMEM
+to caller to avoid potential NULL pointer deref later. Move up the
+create_workequeue() call to return early and avoid unwinding the call to
+riocm_rx_fill().
+
+Cc: Alexandre Bounine <alex.bou9@gmail.com>
+Cc: Matt Porter <mporter@kernel.crashing.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
+Link: https://lore.kernel.org/r/20210503115736.2104747-46-gregkh@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rapidio/rio_cm.c |    9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/rapidio/rio_cm.c
++++ b/drivers/rapidio/rio_cm.c
+@@ -2127,6 +2127,14 @@ static int riocm_add_mport(struct device
+ 		return -ENODEV;
+ 	}
+ 
++	cm->rx_wq = create_workqueue(DRV_NAME "/rxq");
++	if (!cm->rx_wq) {
++		rio_release_inb_mbox(mport, cmbox);
++		rio_release_outb_mbox(mport, cmbox);
++		kfree(cm);
++		return -ENOMEM;
++	}
++
+ 	/*
+ 	 * Allocate and register inbound messaging buffers to be ready
+ 	 * to receive channel and system management requests
+@@ -2137,7 +2145,6 @@ static int riocm_add_mport(struct device
+ 	cm->rx_slots = RIOCM_RX_RING_SIZE;
+ 	mutex_init(&cm->rx_lock);
+ 	riocm_rx_fill(cm, RIOCM_RX_RING_SIZE);
+-	cm->rx_wq = create_workqueue(DRV_NAME "/rxq");
+ 	INIT_WORK(&cm->rx_work, rio_ibmsg_handler);
+ 
+ 	cm->tx_slot = 0;
diff --git a/queue-5.4/revert-rapidio-fix-a-null-pointer-dereference-when-create_workqueue-fails.patch b/queue-5.4/revert-rapidio-fix-a-null-pointer-dereference-when-create_workqueue-fails.patch
new file mode 100644
index 00000000000..6215895af3c
--- /dev/null
+++ b/queue-5.4/revert-rapidio-fix-a-null-pointer-dereference-when-create_workqueue-fails.patch
@@ -0,0 +1,52 @@
+From 5e68b86c7b7c059c0f0ec4bf8adabe63f84a61eb Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 3 May 2021 13:57:11 +0200
+Subject: Revert "rapidio: fix a NULL pointer dereference when create_workqueue() fails"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 5e68b86c7b7c059c0f0ec4bf8adabe63f84a61eb upstream.
+
+This reverts commit 23015b22e47c5409620b1726a677d69e5cd032ba.
+
+Because of recent interactions with developers from @umn.edu, all
+commits from them have been recently re-reviewed to ensure if they were
+correct or not.
+
+Upon review, this commit was found to be incorrect for the reasons
+below, so it must be reverted.  It will be fixed up "correctly" in a
+later kernel change.
+
+The original commit has a memory leak on the error path here, it does
+not clean up everything properly.
+
+Cc: Kangjie Lu <kjlu@umn.edu>
+Cc: Alexandre Bounine <alex.bou9@gmail.com>
+Cc: Matt Porter <mporter@kernel.crashing.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Fixes: 23015b22e47c ("rapidio: fix a NULL pointer dereference when create_workqueue() fails")
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210503115736.2104747-45-gregkh@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rapidio/rio_cm.c |    8 --------
+ 1 file changed, 8 deletions(-)
+
+--- a/drivers/rapidio/rio_cm.c
++++ b/drivers/rapidio/rio_cm.c
+@@ -2138,14 +2138,6 @@ static int riocm_add_mport(struct device
+ 	mutex_init(&cm->rx_lock);
+ 	riocm_rx_fill(cm, RIOCM_RX_RING_SIZE);
+ 	cm->rx_wq = create_workqueue(DRV_NAME "/rxq");
+-	if (!cm->rx_wq) {
+-		riocm_error("failed to allocate IBMBOX_%d on %s",
+-			    cmbox, mport->name);
+-		rio_release_outb_mbox(mport, cmbox);
+-		kfree(cm);
+-		return -ENOMEM;
+-	}
+-
+ 	INIT_WORK(&cm->rx_work, rio_ibmsg_handler);
+ 
+ 	cm->tx_slot = 0;
diff --git a/queue-5.4/revert-serial-mvebu-uart-fix-to-avoid-a-potential-null-pointer-dereference.patch b/queue-5.4/revert-serial-mvebu-uart-fix-to-avoid-a-potential-null-pointer-dereference.patch
new file mode 100644
index 00000000000..bb01d7b6724
--- /dev/null
+++ b/queue-5.4/revert-serial-mvebu-uart-fix-to-avoid-a-potential-null-pointer-dereference.patch
@@ -0,0 +1,41 @@
+From 754f39158441f4c0d7a8255209dd9a939f08ce80 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 3 May 2021 13:56:32 +0200
+Subject: Revert "serial: mvebu-uart: Fix to avoid a potential NULL pointer dereference"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 754f39158441f4c0d7a8255209dd9a939f08ce80 upstream.
+
+This reverts commit 32f47179833b63de72427131169809065db6745e.
+
+Because of recent interactions with developers from @umn.edu, all
+commits from them have been recently re-reviewed to ensure if they were
+correct or not.
+
+Upon review, this commit was found to be not be needed at all as the
+change was useless because this function can only be called when
+of_match_device matched on something.  So it should be reverted.
+
+Cc: Aditya Pakki <pakki001@umn.edu>
+Cc: stable <stable@vger.kernel.org>
+Fixes: 32f47179833b ("serial: mvebu-uart: Fix to avoid a potential NULL pointer dereference")
+Acked-by: Jiri Slaby <jirislaby@kernel.org>
+Link: https://lore.kernel.org/r/20210503115736.2104747-6-gregkh@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/mvebu-uart.c |    3 ---
+ 1 file changed, 3 deletions(-)
+
+--- a/drivers/tty/serial/mvebu-uart.c
++++ b/drivers/tty/serial/mvebu-uart.c
+@@ -818,9 +818,6 @@ static int mvebu_uart_probe(struct platf
+ 		return -EINVAL;
+ 	}
+ 
+-	if (!match)
+-		return -ENODEV;
+-
+ 	/* Assume that all UART ports have a DT alias or none has */
+ 	id = of_alias_get_id(pdev->dev.of_node, "serial");
+ 	if (!pdev->dev.of_node || id < 0)
diff --git a/queue-5.4/series b/queue-5.4/series
index fa4f3054a0a..132a256e8e8 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -30,3 +30,7 @@ alsa-hda-realtek-add-some-clove-ssids-of-alc293.patch
 alsa-hda-realtek-fix-silent-headphone-output-on-asus-ux430ua.patch
 alsa-hda-realtek-add-fixup-for-hp-omen-laptop.patch
 alsa-hda-realtek-add-fixup-for-hp-spectre-x360-15-df0xxx.patch
+uio_hv_generic-fix-a-memory-leak-in-error-handling-paths.patch
+revert-rapidio-fix-a-null-pointer-dereference-when-create_workqueue-fails.patch
+rapidio-handle-create_workqueue-failure.patch
+revert-serial-mvebu-uart-fix-to-avoid-a-potential-null-pointer-dereference.patch
diff --git a/queue-5.4/uio_hv_generic-fix-a-memory-leak-in-error-handling-paths.patch b/queue-5.4/uio_hv_generic-fix-a-memory-leak-in-error-handling-paths.patch
new file mode 100644
index 00000000000..f02b54e3435
--- /dev/null
+++ b/queue-5.4/uio_hv_generic-fix-a-memory-leak-in-error-handling-paths.patch
@@ -0,0 +1,50 @@
+From 3ee098f96b8b6c1a98f7f97915f8873164e6af9d Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sun, 9 May 2021 09:13:03 +0200
+Subject: uio_hv_generic: Fix a memory leak in error handling paths
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit 3ee098f96b8b6c1a98f7f97915f8873164e6af9d upstream.
+
+If 'vmbus_establish_gpadl()' fails, the (recv|send)_gpadl will not be
+updated and 'hv_uio_cleanup()' in the error handling path will not be
+able to free the corresponding buffer.
+
+In such a case, we need to free the buffer explicitly.
+
+Fixes: cdfa835c6e5e ("uio_hv_generic: defer opening vmbus until first use")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/4fdaff557deef6f0475d02ba7922ddbaa1ab08a6.1620544055.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/uio/uio_hv_generic.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/uio/uio_hv_generic.c
++++ b/drivers/uio/uio_hv_generic.c
+@@ -296,8 +296,10 @@ hv_uio_probe(struct hv_device *dev,
+ 
+ 	ret = vmbus_establish_gpadl(channel, pdata->recv_buf,
+ 				    RECV_BUFFER_SIZE, &pdata->recv_gpadl);
+-	if (ret)
++	if (ret) {
++		vfree(pdata->recv_buf);
+ 		goto fail_close;
++	}
+ 
+ 	/* put Global Physical Address Label in name */
+ 	snprintf(pdata->recv_name, sizeof(pdata->recv_name),
+@@ -316,8 +318,10 @@ hv_uio_probe(struct hv_device *dev,
+ 
+ 	ret = vmbus_establish_gpadl(channel, pdata->send_buf,
+ 				    SEND_BUFFER_SIZE, &pdata->send_gpadl);
+-	if (ret)
++	if (ret) {
++		vfree(pdata->send_buf);
+ 		goto fail_close;
++	}
+ 
+ 	snprintf(pdata->send_name, sizeof(pdata->send_name),
+ 		 "send:%u", pdata->send_gpadl);