From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 24 May 2021 09:57:55 +0000 (+0200)
Subject: 4.14-stable patches
X-Git-Tag: v4.4.270~50
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e05494fe285977bafb86a956115ed685089f4b46;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	rapidio-handle-create_workqueue-failure.patch
	revert-rapidio-fix-a-null-pointer-dereference-when-create_workqueue-fails.patch
---

diff --git a/queue-4.14/rapidio-handle-create_workqueue-failure.patch b/queue-4.14/rapidio-handle-create_workqueue-failure.patch
new file mode 100644
index 00000000000..07d6cf171b3
--- /dev/null
+++ b/queue-4.14/rapidio-handle-create_workqueue-failure.patch
@@ -0,0 +1,51 @@
+From 69ce3ae36dcb03cdf416b0862a45369ddbf50fdf Mon Sep 17 00:00:00 2001
+From: Anirudh Rayabharam <mail@anirudhrb.com>
+Date: Mon, 3 May 2021 13:57:12 +0200
+Subject: rapidio: handle create_workqueue() failure
+
+From: Anirudh Rayabharam <mail@anirudhrb.com>
+
+commit 69ce3ae36dcb03cdf416b0862a45369ddbf50fdf upstream.
+
+In case create_workqueue() fails, release all resources and return -ENOMEM
+to caller to avoid potential NULL pointer deref later. Move up the
+create_workequeue() call to return early and avoid unwinding the call to
+riocm_rx_fill().
+
+Cc: Alexandre Bounine <alex.bou9@gmail.com>
+Cc: Matt Porter <mporter@kernel.crashing.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
+Link: https://lore.kernel.org/r/20210503115736.2104747-46-gregkh@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rapidio/rio_cm.c |    9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/rapidio/rio_cm.c
++++ b/drivers/rapidio/rio_cm.c
+@@ -2136,6 +2136,14 @@ static int riocm_add_mport(struct device
+ 		return -ENODEV;
+ 	}
+ 
++	cm->rx_wq = create_workqueue(DRV_NAME "/rxq");
++	if (!cm->rx_wq) {
++		rio_release_inb_mbox(mport, cmbox);
++		rio_release_outb_mbox(mport, cmbox);
++		kfree(cm);
++		return -ENOMEM;
++	}
++
+ 	/*
+ 	 * Allocate and register inbound messaging buffers to be ready
+ 	 * to receive channel and system management requests
+@@ -2146,7 +2154,6 @@ static int riocm_add_mport(struct device
+ 	cm->rx_slots = RIOCM_RX_RING_SIZE;
+ 	mutex_init(&cm->rx_lock);
+ 	riocm_rx_fill(cm, RIOCM_RX_RING_SIZE);
+-	cm->rx_wq = create_workqueue(DRV_NAME "/rxq");
+ 	INIT_WORK(&cm->rx_work, rio_ibmsg_handler);
+ 
+ 	cm->tx_slot = 0;
diff --git a/queue-4.14/revert-rapidio-fix-a-null-pointer-dereference-when-create_workqueue-fails.patch b/queue-4.14/revert-rapidio-fix-a-null-pointer-dereference-when-create_workqueue-fails.patch
new file mode 100644
index 00000000000..eb4ebdc2d8e
--- /dev/null
+++ b/queue-4.14/revert-rapidio-fix-a-null-pointer-dereference-when-create_workqueue-fails.patch
@@ -0,0 +1,52 @@
+From 5e68b86c7b7c059c0f0ec4bf8adabe63f84a61eb Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 3 May 2021 13:57:11 +0200
+Subject: Revert "rapidio: fix a NULL pointer dereference when create_workqueue() fails"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 5e68b86c7b7c059c0f0ec4bf8adabe63f84a61eb upstream.
+
+This reverts commit 23015b22e47c5409620b1726a677d69e5cd032ba.
+
+Because of recent interactions with developers from @umn.edu, all
+commits from them have been recently re-reviewed to ensure if they were
+correct or not.
+
+Upon review, this commit was found to be incorrect for the reasons
+below, so it must be reverted.  It will be fixed up "correctly" in a
+later kernel change.
+
+The original commit has a memory leak on the error path here, it does
+not clean up everything properly.
+
+Cc: Kangjie Lu <kjlu@umn.edu>
+Cc: Alexandre Bounine <alex.bou9@gmail.com>
+Cc: Matt Porter <mporter@kernel.crashing.org>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Fixes: 23015b22e47c ("rapidio: fix a NULL pointer dereference when create_workqueue() fails")
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210503115736.2104747-45-gregkh@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/rapidio/rio_cm.c |    8 --------
+ 1 file changed, 8 deletions(-)
+
+--- a/drivers/rapidio/rio_cm.c
++++ b/drivers/rapidio/rio_cm.c
+@@ -2147,14 +2147,6 @@ static int riocm_add_mport(struct device
+ 	mutex_init(&cm->rx_lock);
+ 	riocm_rx_fill(cm, RIOCM_RX_RING_SIZE);
+ 	cm->rx_wq = create_workqueue(DRV_NAME "/rxq");
+-	if (!cm->rx_wq) {
+-		riocm_error("failed to allocate IBMBOX_%d on %s",
+-			    cmbox, mport->name);
+-		rio_release_outb_mbox(mport, cmbox);
+-		kfree(cm);
+-		return -ENOMEM;
+-	}
+-
+ 	INIT_WORK(&cm->rx_work, rio_ibmsg_handler);
+ 
+ 	cm->tx_slot = 0;
diff --git a/queue-4.14/series b/queue-4.14/series
index d0f6501f6e7..c7206996860 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -8,3 +8,5 @@ alsa-usb-audio-validate-ms-endpoint-descriptors.patch
 alsa-bebob-oxfw-fix-kconfig-entry-for-mackie-d.2-pro.patch
 revert-alsa-sb8-add-a-check-for-request_region.patch
 alsa-hda-realtek-reset-eapd-coeff-to-default-value-for-alc287.patch
+revert-rapidio-fix-a-null-pointer-dereference-when-create_workqueue-fails.patch
+rapidio-handle-create_workqueue-failure.patch