From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 11 Dec 2020 14:45:47 +0000 (+0100)
Subject: 4.4-stable patches
X-Git-Tag: v5.10.1~30
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=84ab5c28035215bb09faef63d3875fe8b55489b0;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	spi-bcm2835aux-fix-use-after-free-on-unbind.patch
	spi-bcm2835aux-restore-err-assignment-in-bcm2835aux_spi_probe.patch
---

diff --git a/queue-4.4/series b/queue-4.4/series
new file mode 100644
index 00000000000..855d8849358
--- /dev/null
+++ b/queue-4.4/series
@@ -0,0 +1,2 @@
+spi-bcm2835aux-fix-use-after-free-on-unbind.patch
+spi-bcm2835aux-restore-err-assignment-in-bcm2835aux_spi_probe.patch
diff --git a/queue-4.4/spi-bcm2835aux-fix-use-after-free-on-unbind.patch b/queue-4.4/spi-bcm2835aux-fix-use-after-free-on-unbind.patch
new file mode 100644
index 00000000000..6e6285138da
--- /dev/null
+++ b/queue-4.4/spi-bcm2835aux-fix-use-after-free-on-unbind.patch
@@ -0,0 +1,87 @@
+From foo@baz Fri Dec 11 03:42:15 PM CET 2020
+From: Lukas Wunner <lukas@wunner.de>
+Date: Thu, 10 Dec 2020 20:20:01 +0100
+Subject: spi: bcm2835aux: Fix use-after-free on unbind
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.com>
+Cc: Mark Brown <broonie@kernel.org>, Sudip Mukherjee <sudipm.mukherjee@gmail.com>, Sasha Levin <sashal@kernel.org>, Nathan Chancellor <natechancellor@gmail.com>, stable@vger.kernel.org
+Message-ID: <6a940079e894346e8ee00878ef844decd216e695.1607626808.git.lukas@wunner.de>
+
+From: Lukas Wunner <lukas@wunner.de>
+
+[ Upstream commit e13ee6cc4781edaf8c7321bee19217e3702ed481 ]
+
+bcm2835aux_spi_remove() accesses the driver's private data after calling
+spi_unregister_master() even though that function releases the last
+reference on the spi_master and thereby frees the private data.
+
+Fix by switching over to the new devm_spi_alloc_master() helper which
+keeps the private data accessible until the driver has unbound.
+
+Fixes: b9dd3f6d4172 ("spi: bcm2835aux: Fix controller unregister order")
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: <stable@vger.kernel.org> # v4.4+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation
+Cc: <stable@vger.kernel.org> # v4.4+: b9dd3f6d4172: spi: bcm2835aux: Fix controller unregister order
+Cc: <stable@vger.kernel.org> # v4.4+
+Link: https://lore.kernel.org/r/b290b06357d0c0bdee9cecc539b840a90630f101.1605121038.git.lukas@wunner.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-bcm2835aux.c |   18 ++++++------------
+ 1 file changed, 6 insertions(+), 12 deletions(-)
+
+--- a/drivers/spi/spi-bcm2835aux.c
++++ b/drivers/spi/spi-bcm2835aux.c
+@@ -381,7 +381,7 @@ static int bcm2835aux_spi_probe(struct p
+ 	unsigned long clk_hz;
+ 	int err;
+ 
+-	master = spi_alloc_master(&pdev->dev, sizeof(*bs));
++	master = devm_spi_alloc_master(&pdev->dev, sizeof(*bs));
+ 	if (!master) {
+ 		dev_err(&pdev->dev, "spi_alloc_master() failed\n");
+ 		return -ENOMEM;
+@@ -411,30 +411,26 @@ static int bcm2835aux_spi_probe(struct p
+ 	/* the main area */
+ 	res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ 	bs->regs = devm_ioremap_resource(&pdev->dev, res);
+-	if (IS_ERR(bs->regs)) {
+-		err = PTR_ERR(bs->regs);
+-		goto out_master_put;
+-	}
++	if (IS_ERR(bs->regs))
++		return PTR_ERR(bs->regs);
+ 
+ 	bs->clk = devm_clk_get(&pdev->dev, NULL);
+ 	if ((!bs->clk) || (IS_ERR(bs->clk))) {
+-		err = PTR_ERR(bs->clk);
+ 		dev_err(&pdev->dev, "could not get clk: %d\n", err);
+-		goto out_master_put;
++		return PTR_ERR(bs->clk);
+ 	}
+ 
+ 	bs->irq = platform_get_irq(pdev, 0);
+ 	if (bs->irq <= 0) {
+ 		dev_err(&pdev->dev, "could not get IRQ: %d\n", bs->irq);
+-		err = bs->irq ? bs->irq : -ENODEV;
+-		goto out_master_put;
++		return bs->irq ? bs->irq : -ENODEV;
+ 	}
+ 
+ 	/* this also enables the HW block */
+ 	err = clk_prepare_enable(bs->clk);
+ 	if (err) {
+ 		dev_err(&pdev->dev, "could not prepare clock: %d\n", err);
+-		goto out_master_put;
++		return err;
+ 	}
+ 
+ 	/* just checking if the clock returns a sane value */
+@@ -467,8 +463,6 @@ static int bcm2835aux_spi_probe(struct p
+ 
+ out_clk_disable:
+ 	clk_disable_unprepare(bs->clk);
+-out_master_put:
+-	spi_master_put(master);
+ 	return err;
+ }
+ 
diff --git a/queue-4.4/spi-bcm2835aux-restore-err-assignment-in-bcm2835aux_spi_probe.patch b/queue-4.4/spi-bcm2835aux-restore-err-assignment-in-bcm2835aux_spi_probe.patch
new file mode 100644
index 00000000000..e1b3b4d75cf
--- /dev/null
+++ b/queue-4.4/spi-bcm2835aux-restore-err-assignment-in-bcm2835aux_spi_probe.patch
@@ -0,0 +1,58 @@
+From foo@baz Fri Dec 11 03:42:15 PM CET 2020
+From: Lukas Wunner <lukas@wunner.de>
+Date: Thu, 10 Dec 2020 20:20:02 +0100
+Subject: spi: bcm2835aux: Restore err assignment in bcm2835aux_spi_probe
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.com>
+Cc: Mark Brown <broonie@kernel.org>, Sudip Mukherjee <sudipm.mukherjee@gmail.com>, Sasha Levin <sashal@kernel.org>, Nathan Chancellor <natechancellor@gmail.com>, stable@vger.kernel.org
+Message-ID: <0dc949d865558ca23bd9decf10b9c4092f7576c1.1607626808.git.lukas@wunner.de>
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit d853b3406903a7dc5b14eb5bada3e8cd677f66a2 ]
+
+Clang warns:
+
+drivers/spi/spi-bcm2835aux.c:532:50: warning: variable 'err' is
+uninitialized when used here [-Wuninitialized]
+                dev_err(&pdev->dev, "could not get clk: %d\n", err);
+                                                               ^~~
+./include/linux/dev_printk.h:112:32: note: expanded from macro 'dev_err'
+        _dev_err(dev, dev_fmt(fmt), ##__VA_ARGS__)
+                                      ^~~~~~~~~~~
+drivers/spi/spi-bcm2835aux.c:495:9: note: initialize the variable 'err'
+to silence this warning
+        int err;
+               ^
+                = 0
+1 warning generated.
+
+Restore the assignment so that the error value can be used in the
+dev_err statement and there is no uninitialized memory being leaked.
+
+Fixes: e13ee6cc4781 ("spi: bcm2835aux: Fix use-after-free on unbind")
+Link: https://github.com/ClangBuiltLinux/linux/issues/1199
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Link: https://lore.kernel.org/r/20201113180701.455541-1-natechancellor@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+[lukas: backport to 4.19-stable, add stable designation]
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: <stable@vger.kernel.org> # v4.4+: e13ee6cc4781: spi: bcm2835aux: Fix use-after-free on unbind
+Cc: <stable@vger.kernel.org> # v4.4+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-bcm2835aux.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-bcm2835aux.c
++++ b/drivers/spi/spi-bcm2835aux.c
+@@ -416,8 +416,9 @@ static int bcm2835aux_spi_probe(struct p
+ 
+ 	bs->clk = devm_clk_get(&pdev->dev, NULL);
+ 	if ((!bs->clk) || (IS_ERR(bs->clk))) {
++		err = PTR_ERR(bs->clk);
+ 		dev_err(&pdev->dev, "could not get clk: %d\n", err);
+-		return PTR_ERR(bs->clk);
++		return err;
+ 	}
+ 
+ 	bs->irq = platform_get_irq(pdev, 0);