Hi, On Sun, Apr 22, 2018 at 11:30:36AM +0200, gregkh@xxxxxxxxxxxxxxxxxxx wrote: > > The patch below does not apply to the 4.9-stable tree. > If someone wants it applied there, or to any other stable or longterm > tree, then please email the backport, including the original git commit > id to <stable@xxxxxxxxxxxxxxx>. > This patch is not for stable. It's a fix for another recent patch. "cc: stable" should be removed, we discussed this already here: https://lkml.org/lkml/2018/4/13/620 Regards, Ioan > thanks, > > greg k-h > > ------------------ original commit in Linus's tree ------------------ > > From c5157b76869ba98c3a99a1982396437464e131a6 Mon Sep 17 00:00:00 2001 > From: Ioan Nicu <ioan.nicu.ext@xxxxxxxxx> > Date: Fri, 20 Apr 2018 14:55:49 -0700 > Subject: [PATCH] rapidio: fix rio_dma_transfer error handling > > Some of the mport_dma_req structure members were initialized late > inside the do_dma_request() function, just before submitting the > request to the dma engine. But we have some error branches before > that. In case of such an error, the code would return on the error > path and trigger the calling of dma_req_free() with a req structure > which is not completely initialized. This causes a NULL pointer > dereference in dma_req_free(). > > This patch fixes these error branches by making sure that all > necessary mport_dma_req structure members are initialized in > rio_dma_transfer() immediately after the request structure gets > allocated. > > Link: http://lkml.kernel.org/r/20180412150605.GA31409@xxxxxxxxx > Fixes: bbd876adb8c72 ("rapidio: use a reference count for struct mport_dma_req") > Signed-off-by: Ioan Nicu <ioan.nicu.ext@xxxxxxxxx> > Tested-by: Alexander Sverdlin <alexander.sverdlin@xxxxxxxxx> > Acked-by: Alexandre Bounine <alex.bou9@xxxxxxxxx> > Cc: Barry Wood <barry.wood@xxxxxxx> > Cc: Matt Porter <mporter@xxxxxxxxxxxxxxxxxxx> > Cc: Christophe JAILLET <christophe.jaillet@xxxxxxxxxx> > Cc: Logan Gunthorpe <logang@xxxxxxxxxxxx> > Cc: Chris Wilson <chris@xxxxxxxxxxxxxxxxxx> > Cc: Tvrtko Ursulin <tvrtko.ursulin@xxxxxxxxx> > Cc: Frank Kunz <frank.kunz@xxxxxxxxx> > Cc: <stable@xxxxxxxxxxxxxxx> [4.6+] > Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> > Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> > > diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c > index 9d27016c899e..0434ab7b6497 100644 > --- a/drivers/rapidio/devices/rio_mport_cdev.c > +++ b/drivers/rapidio/devices/rio_mport_cdev.c > @@ -740,10 +740,7 @@ static int do_dma_request(struct mport_dma_req *req, > tx->callback = dma_xfer_callback; > tx->callback_param = req; > > - req->dmach = chan; > - req->sync = sync; > req->status = DMA_IN_PROGRESS; > - init_completion(&req->req_comp); > kref_get(&req->refcount); > > cookie = dmaengine_submit(tx); > @@ -831,13 +828,20 @@ rio_dma_transfer(struct file *filp, u32 transfer_mode, > if (!req) > return -ENOMEM; > > - kref_init(&req->refcount); > - > ret = get_dma_channel(priv); > if (ret) { > kfree(req); > return ret; > } > + chan = priv->dmach; > + > + kref_init(&req->refcount); > + init_completion(&req->req_comp); > + req->dir = dir; > + req->filp = filp; > + req->priv = priv; > + req->dmach = chan; > + req->sync = sync; > > /* > * If parameter loc_addr != NULL, we are transferring data from/to > @@ -925,11 +929,6 @@ rio_dma_transfer(struct file *filp, u32 transfer_mode, > xfer->offset, xfer->length); > } > > - req->dir = dir; > - req->filp = filp; > - req->priv = priv; > - chan = priv->dmach; > - > nents = dma_map_sg(chan->device->dev, > req->sgt.sgl, req->sgt.nents, dir); > if (nents == 0) { >