4.9-stable patches

added patches:
	staging-greybus-spilib-fix-use-after-free-after-deregistration.patch

diff --git a/queue-4.9/series b/queue-4.9/series
index b02f251941ae721c4942488e30f55b73cf679197..f41b33aebf9030613cebffa1489dd44f93b75072 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -69,3 +69,4 @@ usb-serial-garmin_gps-fix-i-o-after-failed-probe-and-remove.patch
 usb-serial-garmin_gps-fix-memory-leak-on-probe-errors.patch
 x86-mce-amd-always-give-panic-severity-for-uc-errors-in-kernel-context.patch
 brcmfmac-don-t-preset-all-channels-as-disabled.patch
+staging-greybus-spilib-fix-use-after-free-after-deregistration.patch

diff --git a/queue-4.9/staging-greybus-spilib-fix-use-after-free-after-deregistration.patch b/queue-4.9/staging-greybus-spilib-fix-use-after-free-after-deregistration.patch
new file mode 100644 (file)
index 0000000..1ee5e7d
--- /dev/null
+++ b/queue-4.9/staging-greybus-spilib-fix-use-after-free-after-deregistration.patch
@@ -0,0 +1,52 @@
+From 770b03c2ca4aa44d226cf248f86aa23e546147d0 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Sun, 29 Oct 2017 13:01:33 +0100
+Subject: staging: greybus: spilib: fix use-after-free after deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 770b03c2ca4aa44d226cf248f86aa23e546147d0 upstream.
+
+Remove erroneous spi_master_put() after controller deregistration which
+would access the already freed spi controller.
+
+Note that spi_unregister_master() drops our only controller reference.
+
+Fixes: ba3e67001b42 ("greybus: SPI: convert to a gpbridge driver")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Rui Miguel Silva <rmfrfs@gmail.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/greybus/spilib.c |    8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/greybus/spilib.c
++++ b/drivers/staging/greybus/spilib.c
+@@ -544,12 +544,15 @@ int gb_spilib_master_init(struct gb_conn
+ 
+       return 0;
+ 
+-exit_spi_unregister:
+-      spi_unregister_master(master);
+ exit_spi_put:
+       spi_master_put(master);
+ 
+       return ret;
++
++exit_spi_unregister:
++      spi_unregister_master(master);
++
++      return ret;
+ }
+ EXPORT_SYMBOL_GPL(gb_spilib_master_init);
+ 
+@@ -558,7 +561,6 @@ void gb_spilib_master_exit(struct gb_con
+       struct spi_master *master = gb_connection_get_data(connection);
+ 
+       spi_unregister_master(master);
+-      spi_master_put(master);
+ }
+ EXPORT_SYMBOL_GPL(gb_spilib_master_exit);
+