From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail-db5eur01on0132.outbound.protection.outlook.com ([104.47.2.132]:3661
        "EHLO EUR01-DB5-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1751519AbeDWHHL (ORCPT <rfc822;stable@vger.kernel.org>);
        Mon, 23 Apr 2018 03:07:11 -0400
Date: Mon, 23 Apr 2018 09:07:13 +0200
From: Ioan Nicu <ioan.nicu.ext@nokia.com>
To: gregkh@linuxfoundation.org
Cc: akpm@linux-foundation.org, alex.bou9@gmail.com,
        alexander.sverdlin@nokia.com, barry.wood@idt.com,
        chris@chris-wilson.co.uk, christophe.jaillet@wanadoo.fr,
        frank.kunz@nokia.com, logang@deltatee.com,
        mporter@kernel.crashing.org, stable@vger.kernel.org,
        torvalds@linux-foundation.org, tvrtko.ursulin@intel.com
Subject: Re: FAILED: patch "[PATCH] rapidio: fix rio_dma_transfer error
 handling" failed to apply to 4.9-stable tree
Message-ID: <20180423070711.GB1732@nokia.com>
References: <1524389436176177@kroah.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1524389436176177@kroah.com>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

Hi,

On Sun, Apr 22, 2018 at 11:30:36AM +0200, gregkh@linuxfoundation.org wrote:
> 
> The patch below does not apply to the 4.9-stable tree.
> If someone wants it applied there, or to any other stable or longterm
> tree, then please email the backport, including the original git commit
> id to <stable@vger.kernel.org>.
> 

This patch is not for stable. It's a fix for another recent patch.
"cc: stable" should be removed, we discussed this already here:

https://lkml.org/lkml/2018/4/13/620

Regards,
Ioan

> thanks,
> 
> greg k-h
> 
> ------------------ original commit in Linus's tree ------------------
> 
> From c5157b76869ba98c3a99a1982396437464e131a6 Mon Sep 17 00:00:00 2001
> From: Ioan Nicu <ioan.nicu.ext@nokia.com>
> Date: Fri, 20 Apr 2018 14:55:49 -0700
> Subject: [PATCH] rapidio: fix rio_dma_transfer error handling
> 
> Some of the mport_dma_req structure members were initialized late
> inside the do_dma_request() function, just before submitting the
> request to the dma engine. But we have some error branches before
> that. In case of such an error, the code would return on the error
> path and trigger the calling of dma_req_free() with a req structure
> which is not completely initialized. This causes a NULL pointer
> dereference in dma_req_free().
> 
> This patch fixes these error branches by making sure that all
> necessary mport_dma_req structure members are initialized in
> rio_dma_transfer() immediately after the request structure gets
> allocated.
> 
> Link: http://lkml.kernel.org/r/20180412150605.GA31409@nokia.com
> Fixes: bbd876adb8c72 ("rapidio: use a reference count for struct mport_dma_req")
> Signed-off-by: Ioan Nicu <ioan.nicu.ext@nokia.com>
> Tested-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
> Acked-by: Alexandre Bounine <alex.bou9@gmail.com>
> Cc: Barry Wood <barry.wood@idt.com>
> Cc: Matt Porter <mporter@kernel.crashing.org>
> Cc: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
> Cc: Logan Gunthorpe <logang@deltatee.com>
> Cc: Chris Wilson <chris@chris-wilson.co.uk>
> Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
> Cc: Frank Kunz <frank.kunz@nokia.com>
> Cc: <stable@vger.kernel.org>	[4.6+]
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> 
> diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
> index 9d27016c899e..0434ab7b6497 100644
> --- a/drivers/rapidio/devices/rio_mport_cdev.c
> +++ b/drivers/rapidio/devices/rio_mport_cdev.c
> @@ -740,10 +740,7 @@ static int do_dma_request(struct mport_dma_req *req,
>  	tx->callback = dma_xfer_callback;
>  	tx->callback_param = req;
>  
> -	req->dmach = chan;
> -	req->sync = sync;
>  	req->status = DMA_IN_PROGRESS;
> -	init_completion(&req->req_comp);
>  	kref_get(&req->refcount);
>  
>  	cookie = dmaengine_submit(tx);
> @@ -831,13 +828,20 @@ rio_dma_transfer(struct file *filp, u32 transfer_mode,
>  	if (!req)
>  		return -ENOMEM;
>  
> -	kref_init(&req->refcount);
> -
>  	ret = get_dma_channel(priv);
>  	if (ret) {
>  		kfree(req);
>  		return ret;
>  	}
> +	chan = priv->dmach;
> +
> +	kref_init(&req->refcount);
> +	init_completion(&req->req_comp);
> +	req->dir = dir;
> +	req->filp = filp;
> +	req->priv = priv;
> +	req->dmach = chan;
> +	req->sync = sync;
>  
>  	/*
>  	 * If parameter loc_addr != NULL, we are transferring data from/to
> @@ -925,11 +929,6 @@ rio_dma_transfer(struct file *filp, u32 transfer_mode,
>  				xfer->offset, xfer->length);
>  	}
>  
> -	req->dir = dir;
> -	req->filp = filp;
> -	req->priv = priv;
> -	chan = priv->dmach;
> -
>  	nents = dma_map_sg(chan->device->dev,
>  			   req->sgt.sgl, req->sgt.nents, dir);
>  	if (nents == 0) {
>