From 7a8017447b1d556e4241c8eaf1179ecdef0dc1f3 Mon Sep 17 00:00:00 2001
From: Yang Yingliang <yangyingliang@huawei.com>
Date: Tue, 19 Nov 2019 10:54:34 +0800
Subject: [PATCH] libertas: check workqueue in if_sdio_probe()

hulk inclusion
category: bugfix
bugzilla: 13690
CVE: CVE-2019-16232

-------------------------------------------------

There are multiple points in the Linux Kernel where alloc_workqueue is
not getting checked for errors and as a result, a potential NULL
dereference could occur.
https://lkml.org/lkml/2019/9/9/487

Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Wenan Mao <maowenan@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 drivers/net/wireless/marvell/libertas/if_sdio.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/net/wireless/marvell/libertas/if_sdio.c b/drivers/net/wireless/marvell/libertas/if_sdio.c
index 39bf85d0ade0..282e409da689 100644
--- a/drivers/net/wireless/marvell/libertas/if_sdio.c
+++ b/drivers/net/wireless/marvell/libertas/if_sdio.c
@@ -1183,6 +1183,10 @@ static int if_sdio_probe(struct sdio_func *func,
 
 	spin_lock_init(&card->lock);
 	card->workqueue = alloc_workqueue("libertas_sdio", WQ_MEM_RECLAIM, 0);
+	if (!card->workqueue) {
+		ret = -ENOMEM;
+		goto free_before_queue;
+	}
 	INIT_WORK(&card->packet_worker, if_sdio_host_to_card_worker);
 	init_waitqueue_head(&card->pwron_waitq);
 
@@ -1234,6 +1238,7 @@ static int if_sdio_probe(struct sdio_func *func,
 	lbs_remove_card(priv);
 free:
 	destroy_workqueue(card->workqueue);
+free_before_queue:
 	while (card->packets) {
 		packet = card->packets;
 		card->packets = card->packets->next;
-- 
GitLab