From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 19 Nov 2017 14:27:05 +0000 (+0100)
Subject: 4.9-stable patches
X-Git-Tag: v3.18.83~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=764c70c813be1cb6ccf1ac69ce197778bb50c5e5;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	staging-greybus-spilib-fix-use-after-free-after-deregistration.patch
---

diff --git a/queue-4.9/series b/queue-4.9/series
index b02f251941a..f41b33aebf9 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -69,3 +69,4 @@ usb-serial-garmin_gps-fix-i-o-after-failed-probe-and-remove.patch
 usb-serial-garmin_gps-fix-memory-leak-on-probe-errors.patch
 x86-mce-amd-always-give-panic-severity-for-uc-errors-in-kernel-context.patch
 brcmfmac-don-t-preset-all-channels-as-disabled.patch
+staging-greybus-spilib-fix-use-after-free-after-deregistration.patch
diff --git a/queue-4.9/staging-greybus-spilib-fix-use-after-free-after-deregistration.patch b/queue-4.9/staging-greybus-spilib-fix-use-after-free-after-deregistration.patch
new file mode 100644
index 00000000000..1ee5e7d40f5
--- /dev/null
+++ b/queue-4.9/staging-greybus-spilib-fix-use-after-free-after-deregistration.patch
@@ -0,0 +1,52 @@
+From 770b03c2ca4aa44d226cf248f86aa23e546147d0 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Sun, 29 Oct 2017 13:01:33 +0100
+Subject: staging: greybus: spilib: fix use-after-free after deregistration
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 770b03c2ca4aa44d226cf248f86aa23e546147d0 upstream.
+
+Remove erroneous spi_master_put() after controller deregistration which
+would access the already freed spi controller.
+
+Note that spi_unregister_master() drops our only controller reference.
+
+Fixes: ba3e67001b42 ("greybus: SPI: convert to a gpbridge driver")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Rui Miguel Silva <rmfrfs@gmail.com>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/greybus/spilib.c |    8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/greybus/spilib.c
++++ b/drivers/staging/greybus/spilib.c
+@@ -544,12 +544,15 @@ int gb_spilib_master_init(struct gb_conn
+ 
+ 	return 0;
+ 
+-exit_spi_unregister:
+-	spi_unregister_master(master);
+ exit_spi_put:
+ 	spi_master_put(master);
+ 
+ 	return ret;
++
++exit_spi_unregister:
++	spi_unregister_master(master);
++
++	return ret;
+ }
+ EXPORT_SYMBOL_GPL(gb_spilib_master_init);
+ 
+@@ -558,7 +561,6 @@ void gb_spilib_master_exit(struct gb_con
+ 	struct spi_master *master = gb_connection_get_data(connection);
+ 
+ 	spi_unregister_master(master);
+-	spi_master_put(master);
+ }
+ EXPORT_SYMBOL_GPL(gb_spilib_master_exit);
+