From: Greg Kroah-Hartman Date: Tue, 24 Nov 2020 18:10:13 +0000 (+0100) Subject: 5.9-stable patches X-Git-Tag: v4.4.247~52 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6d226ddea4b6f0a75376cdeeba7f8f4a04abddd2;p=thirdparty%2Fkernel%2Fstable-queue.git 5.9-stable patches added patches: spi-bcm2835-fix-use-after-free-on-unbind.patch --- diff --git a/queue-5.9/series b/queue-5.9/series index bea91a17c40..8aceea7fb4f 100644 --- a/queue-5.9/series +++ b/queue-5.9/series @@ -1,3 +1,4 @@ io_uring-get-an-active-ref_node-from-files_data.patch io_uring-order-refnode-recycling.patch spi-bcm-qspi-fix-use-after-free-on-unbind.patch +spi-bcm2835-fix-use-after-free-on-unbind.patch diff --git a/queue-5.9/spi-bcm2835-fix-use-after-free-on-unbind.patch b/queue-5.9/spi-bcm2835-fix-use-after-free-on-unbind.patch new file mode 100644 index 00000000000..20a6708a564 --- /dev/null +++ b/queue-5.9/spi-bcm2835-fix-use-after-free-on-unbind.patch @@ -0,0 +1,87 @@ +From foo@baz Tue Nov 24 07:07:16 PM CET 2020 +From: Lukas Wunner +Date: Wed, 11 Nov 2020 20:07:20 +0100 +Subject: spi: bcm2835: Fix use-after-free on unbind + +From: Lukas Wunner + +commit e1483ac030fb4c57734289742f1c1d38dca61e22 upstream + +bcm2835_spi_remove() accesses the driver's private data after calling +spi_unregister_controller() even though that function releases the last +reference on the spi_controller and thereby frees the private data. + +Fix by switching over to the new devm_spi_alloc_master() helper which +keeps the private data accessible until the driver has unbound. + +Fixes: f8043872e796 ("spi: add driver for BCM2835") +Reported-by: Sascha Hauer +Reported-by: Florian Fainelli +Signed-off-by: Lukas Wunner +Cc: # v3.10+: 123456789abc: spi: Introduce device-managed SPI controller allocation +Cc: # v3.10+ +Cc: Vladimir Oltean +Tested-by: Florian Fainelli +Acked-by: Florian Fainelli +Link: https://lore.kernel.org/r/ad66e0a0ad96feb848814842ecf5b6a4539ef35c.1605121038.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-bcm2835.c | 27 ++++++++------------------- + 1 file changed, 8 insertions(+), 19 deletions(-) + +--- a/drivers/spi/spi-bcm2835.c ++++ b/drivers/spi/spi-bcm2835.c +@@ -1278,7 +1278,7 @@ static int bcm2835_spi_probe(struct plat + struct bcm2835_spi *bs; + int err; + +- ctlr = spi_alloc_master(&pdev->dev, ALIGN(sizeof(*bs), ++ ctlr = devm_spi_alloc_master(&pdev->dev, ALIGN(sizeof(*bs), + dma_get_cache_alignment())); + if (!ctlr) + return -ENOMEM; +@@ -1299,26 +1299,17 @@ static int bcm2835_spi_probe(struct plat + bs->ctlr = ctlr; + + bs->regs = devm_platform_ioremap_resource(pdev, 0); +- if (IS_ERR(bs->regs)) { +- err = PTR_ERR(bs->regs); +- goto out_controller_put; +- } ++ if (IS_ERR(bs->regs)) ++ return PTR_ERR(bs->regs); + + bs->clk = devm_clk_get(&pdev->dev, NULL); +- if (IS_ERR(bs->clk)) { +- err = PTR_ERR(bs->clk); +- if (err == -EPROBE_DEFER) +- dev_dbg(&pdev->dev, "could not get clk: %d\n", err); +- else +- dev_err(&pdev->dev, "could not get clk: %d\n", err); +- goto out_controller_put; +- } ++ if (IS_ERR(bs->clk)) ++ return dev_err_probe(&pdev->dev, PTR_ERR(bs->clk), ++ "could not get clk\n"); + + bs->irq = platform_get_irq(pdev, 0); +- if (bs->irq <= 0) { +- err = bs->irq ? bs->irq : -ENODEV; +- goto out_controller_put; +- } ++ if (bs->irq <= 0) ++ return bs->irq ? bs->irq : -ENODEV; + + clk_prepare_enable(bs->clk); + +@@ -1352,8 +1343,6 @@ out_dma_release: + bcm2835_dma_release(ctlr, bs); + out_clk_disable: + clk_disable_unprepare(bs->clk); +-out_controller_put: +- spi_controller_put(ctlr); + return err; + } +