--- /dev/null
+From foo@baz Fri Dec 11 03:42:15 PM CET 2020
+From: Lukas Wunner <lukas@wunner.de>
+Date: Thu, 10 Dec 2020 20:20:01 +0100
+Subject: spi: bcm2835aux: Fix use-after-free on unbind
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.com>
+Cc: Mark Brown <broonie@kernel.org>, Sudip Mukherjee <sudipm.mukherjee@gmail.com>, Sasha Levin <sashal@kernel.org>, Nathan Chancellor <natechancellor@gmail.com>, stable@vger.kernel.org
+Message-ID: <6a940079e894346e8ee00878ef844decd216e695.1607626808.git.lukas@wunner.de>
+
+From: Lukas Wunner <lukas@wunner.de>
+
+[ Upstream commit e13ee6cc4781edaf8c7321bee19217e3702ed481 ]
+
+bcm2835aux_spi_remove() accesses the driver's private data after calling
+spi_unregister_master() even though that function releases the last
+reference on the spi_master and thereby frees the private data.
+
+Fix by switching over to the new devm_spi_alloc_master() helper which
+keeps the private data accessible until the driver has unbound.
+
+Fixes: b9dd3f6d4172 ("spi: bcm2835aux: Fix controller unregister order")
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: <stable@vger.kernel.org> # v4.4+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation
+Cc: <stable@vger.kernel.org> # v4.4+: b9dd3f6d4172: spi: bcm2835aux: Fix controller unregister order
+Cc: <stable@vger.kernel.org> # v4.4+
+Link: https://lore.kernel.org/r/b290b06357d0c0bdee9cecc539b840a90630f101.1605121038.git.lukas@wunner.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-bcm2835aux.c | 18 ++++++------------
+ 1 file changed, 6 insertions(+), 12 deletions(-)
+
+--- a/drivers/spi/spi-bcm2835aux.c
++++ b/drivers/spi/spi-bcm2835aux.c
+@@ -381,7 +381,7 @@ static int bcm2835aux_spi_probe(struct p
+ unsigned long clk_hz;
+ int err;
+
+- master = spi_alloc_master(&pdev->dev, sizeof(*bs));
++ master = devm_spi_alloc_master(&pdev->dev, sizeof(*bs));
+ if (!master) {
+ dev_err(&pdev->dev, "spi_alloc_master() failed\n");
+ return -ENOMEM;
+@@ -411,30 +411,26 @@ static int bcm2835aux_spi_probe(struct p
+ /* the main area */
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ bs->regs = devm_ioremap_resource(&pdev->dev, res);
+- if (IS_ERR(bs->regs)) {
+- err = PTR_ERR(bs->regs);
+- goto out_master_put;
+- }
++ if (IS_ERR(bs->regs))
++ return PTR_ERR(bs->regs);
+
+ bs->clk = devm_clk_get(&pdev->dev, NULL);
+ if ((!bs->clk) || (IS_ERR(bs->clk))) {
+- err = PTR_ERR(bs->clk);
+ dev_err(&pdev->dev, "could not get clk: %d\n", err);
+- goto out_master_put;
++ return PTR_ERR(bs->clk);
+ }
+
+ bs->irq = platform_get_irq(pdev, 0);
+ if (bs->irq <= 0) {
+ dev_err(&pdev->dev, "could not get IRQ: %d\n", bs->irq);
+- err = bs->irq ? bs->irq : -ENODEV;
+- goto out_master_put;
++ return bs->irq ? bs->irq : -ENODEV;
+ }
+
+ /* this also enables the HW block */
+ err = clk_prepare_enable(bs->clk);
+ if (err) {
+ dev_err(&pdev->dev, "could not prepare clock: %d\n", err);
+- goto out_master_put;
++ return err;
+ }
+
+ /* just checking if the clock returns a sane value */
+@@ -467,8 +463,6 @@ static int bcm2835aux_spi_probe(struct p
+
+ out_clk_disable:
+ clk_disable_unprepare(bs->clk);
+-out_master_put:
+- spi_master_put(master);
+ return err;
+ }
+
--- /dev/null
+From foo@baz Fri Dec 11 03:42:15 PM CET 2020
+From: Lukas Wunner <lukas@wunner.de>
+Date: Thu, 10 Dec 2020 20:20:02 +0100
+Subject: spi: bcm2835aux: Restore err assignment in bcm2835aux_spi_probe
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.com>
+Cc: Mark Brown <broonie@kernel.org>, Sudip Mukherjee <sudipm.mukherjee@gmail.com>, Sasha Levin <sashal@kernel.org>, Nathan Chancellor <natechancellor@gmail.com>, stable@vger.kernel.org
+Message-ID: <0dc949d865558ca23bd9decf10b9c4092f7576c1.1607626808.git.lukas@wunner.de>
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit d853b3406903a7dc5b14eb5bada3e8cd677f66a2 ]
+
+Clang warns:
+
+drivers/spi/spi-bcm2835aux.c:532:50: warning: variable 'err' is
+uninitialized when used here [-Wuninitialized]
+ dev_err(&pdev->dev, "could not get clk: %d\n", err);
+ ^~~
+./include/linux/dev_printk.h:112:32: note: expanded from macro 'dev_err'
+ _dev_err(dev, dev_fmt(fmt), ##__VA_ARGS__)
+ ^~~~~~~~~~~
+drivers/spi/spi-bcm2835aux.c:495:9: note: initialize the variable 'err'
+to silence this warning
+ int err;
+ ^
+ = 0
+1 warning generated.
+
+Restore the assignment so that the error value can be used in the
+dev_err statement and there is no uninitialized memory being leaked.
+
+Fixes: e13ee6cc4781 ("spi: bcm2835aux: Fix use-after-free on unbind")
+Link: https://github.com/ClangBuiltLinux/linux/issues/1199
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Link: https://lore.kernel.org/r/20201113180701.455541-1-natechancellor@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+[lukas: backport to 4.19-stable, add stable designation]
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: <stable@vger.kernel.org> # v4.4+: e13ee6cc4781: spi: bcm2835aux: Fix use-after-free on unbind
+Cc: <stable@vger.kernel.org> # v4.4+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-bcm2835aux.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-bcm2835aux.c
++++ b/drivers/spi/spi-bcm2835aux.c
+@@ -416,8 +416,9 @@ static int bcm2835aux_spi_probe(struct p
+
+ bs->clk = devm_clk_get(&pdev->dev, NULL);
+ if ((!bs->clk) || (IS_ERR(bs->clk))) {
++ err = PTR_ERR(bs->clk);
+ dev_err(&pdev->dev, "could not get clk: %d\n", err);
+- return PTR_ERR(bs->clk);
++ return err;
+ }
+
+ bs->irq = platform_get_irq(pdev, 0);
projects / thirdparty / kernel / stable-queue.git / commitdiff
