[SRU][X][PATCH 1/1] libertas: fix a potential NULL pointer dereference

[Krzysztof Kozlowski]

From: Allen Pais <allen.pais at oracle.com>

CVE-2019-16232

alloc_workqueue is not checked for errors and as a result,
a potential NULL dereference could occur.

Signed-off-by: Allen Pais <allen.pais at oracle.com>
Signed-off-by: Kalle Valo <kvalo at codeaurora.org>
(cherry picked from commit 7da413a18583baaf35dd4a8eb414fa410367d7f2)
[krzk: backport applied to different path - without marvell subdir,
       create_workqueue is a wrapper for alloc_workqueue]
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski at canonical.com>
---
 drivers/net/wireless/libertas/if_sdio.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/net/wireless/libertas/if_sdio.c b/drivers/net/wireless/libertas/if_sdio.c
index 33ceda296c9c..45d68ee682f6 100644
--- a/drivers/net/wireless/libertas/if_sdio.c
+++ b/drivers/net/wireless/libertas/if_sdio.c
@@ -1229,6 +1229,10 @@ static int if_sdio_probe(struct sdio_func *func,
 
 	spin_lock_init(&card->lock);
 	card->workqueue = create_workqueue("libertas_sdio");
+	if (unlikely(!card->workqueue)) {
+		ret = -ENOMEM;
+		goto err_queue;
+	}
 	INIT_WORK(&card->packet_worker, if_sdio_host_to_card_worker);
 	init_waitqueue_head(&card->pwron_waitq);
 
@@ -1282,6 +1286,7 @@ err_activate_card:
 	lbs_remove_card(priv);
 free:
 	destroy_workqueue(card->workqueue);
+err_queue:
 	while (card->packets) {
 		packet = card->packets;
 		card->packets = card->packets->next;
-- 
2.25.1