From 75706039b360946f1906b661df7f0499fb5bf110 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 11 Dec 2020 16:51:42 +0100
Subject: [PATCH] 4.19-stable patches

added patches:
	spi-bcm2835aux-fix-use-after-free-on-unbind.patch
	spi-bcm2835aux-restore-err-assignment-in-bcm2835aux_spi_probe.patch
---
 queue-4.19/series                             |  2 +
 ...2835aux-fix-use-after-free-on-unbind.patch | 87 +++++++++++++++++++
 ...r-assignment-in-bcm2835aux_spi_probe.patch | 58 +++++++++++++
 3 files changed, 147 insertions(+)
 create mode 100644 queue-4.19/spi-bcm2835aux-fix-use-after-free-on-unbind.patch
 create mode 100644 queue-4.19/spi-bcm2835aux-restore-err-assignment-in-bcm2835aux_spi_probe.patch

diff --git a/queue-4.19/series b/queue-4.19/series
index c7267db178e..aebc2263e4a 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -1,2 +1,4 @@
 kbuild-do-not-emit-debug-info-for-assembly-with-llvm_ias-1.patch
 x86-lib-change-.weak-to-sym_func_start_weak-for-arch-x86-lib-mem-_64.s.patch
+spi-bcm2835aux-fix-use-after-free-on-unbind.patch
+spi-bcm2835aux-restore-err-assignment-in-bcm2835aux_spi_probe.patch
diff --git a/queue-4.19/spi-bcm2835aux-fix-use-after-free-on-unbind.patch b/queue-4.19/spi-bcm2835aux-fix-use-after-free-on-unbind.patch
new file mode 100644
index 00000000000..7cc80433606
--- /dev/null
+++ b/queue-4.19/spi-bcm2835aux-fix-use-after-free-on-unbind.patch
@@ -0,0 +1,87 @@
+From foo@baz Fri Dec 11 03:43:06 PM CET 2020
+From: Lukas Wunner <lukas@wunner.de>
+Date: Thu, 10 Dec 2020 20:20:01 +0100
+Subject: spi: bcm2835aux: Fix use-after-free on unbind
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.com>
+Cc: Mark Brown <broonie@kernel.org>, Sudip Mukherjee <sudipm.mukherjee@gmail.com>, Sasha Levin <sashal@kernel.org>, Nathan Chancellor <natechancellor@gmail.com>, stable@vger.kernel.org
+Message-ID: <6a940079e894346e8ee00878ef844decd216e695.1607626808.git.lukas@wunner.de>
+
+From: Lukas Wunner <lukas@wunner.de>
+
+[ Upstream commit e13ee6cc4781edaf8c7321bee19217e3702ed481 ]
+
+bcm2835aux_spi_remove() accesses the driver's private data after calling
+spi_unregister_master() even though that function releases the last
+reference on the spi_master and thereby frees the private data.
+
+Fix by switching over to the new devm_spi_alloc_master() helper which
+keeps the private data accessible until the driver has unbound.
+
+Fixes: b9dd3f6d4172 ("spi: bcm2835aux: Fix controller unregister order")
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: <stable@vger.kernel.org> # v4.4+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation
+Cc: <stable@vger.kernel.org> # v4.4+: b9dd3f6d4172: spi: bcm2835aux: Fix controller unregister order
+Cc: <stable@vger.kernel.org> # v4.4+
+Link: https://lore.kernel.org/r/b290b06357d0c0bdee9cecc539b840a90630f101.1605121038.git.lukas@wunner.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-bcm2835aux.c |   18 ++++++------------
+ 1 file changed, 6 insertions(+), 12 deletions(-)
+
+--- a/drivers/spi/spi-bcm2835aux.c
++++ b/drivers/spi/spi-bcm2835aux.c
+@@ -407,7 +407,7 @@ static int bcm2835aux_spi_probe(struct p
+ 	unsigned long clk_hz;
+ 	int err;
+ 
+-	master = spi_alloc_master(&pdev->dev, sizeof(*bs));
++	master = devm_spi_alloc_master(&pdev->dev, sizeof(*bs));
+ 	if (!master) {
+ 		dev_err(&pdev->dev, "spi_alloc_master() failed\n");
+ 		return -ENOMEM;
+@@ -439,30 +439,26 @@ static int bcm2835aux_spi_probe(struct p
+ 	/* the main area */
+ 	res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ 	bs->regs = devm_ioremap_resource(&pdev->dev, res);
+-	if (IS_ERR(bs->regs)) {
+-		err = PTR_ERR(bs->regs);
+-		goto out_master_put;
+-	}
++	if (IS_ERR(bs->regs))
++		return PTR_ERR(bs->regs);
+ 
+ 	bs->clk = devm_clk_get(&pdev->dev, NULL);
+ 	if ((!bs->clk) || (IS_ERR(bs->clk))) {
+-		err = PTR_ERR(bs->clk);
+ 		dev_err(&pdev->dev, "could not get clk: %d\n", err);
+-		goto out_master_put;
++		return PTR_ERR(bs->clk);
+ 	}
+ 
+ 	bs->irq = platform_get_irq(pdev, 0);
+ 	if (bs->irq <= 0) {
+ 		dev_err(&pdev->dev, "could not get IRQ: %d\n", bs->irq);
+-		err = bs->irq ? bs->irq : -ENODEV;
+-		goto out_master_put;
++		return bs->irq ? bs->irq : -ENODEV;
+ 	}
+ 
+ 	/* this also enables the HW block */
+ 	err = clk_prepare_enable(bs->clk);
+ 	if (err) {
+ 		dev_err(&pdev->dev, "could not prepare clock: %d\n", err);
+-		goto out_master_put;
++		return err;
+ 	}
+ 
+ 	/* just checking if the clock returns a sane value */
+@@ -495,8 +491,6 @@ static int bcm2835aux_spi_probe(struct p
+ 
+ out_clk_disable:
+ 	clk_disable_unprepare(bs->clk);
+-out_master_put:
+-	spi_master_put(master);
+ 	return err;
+ }
+ 
diff --git a/queue-4.19/spi-bcm2835aux-restore-err-assignment-in-bcm2835aux_spi_probe.patch b/queue-4.19/spi-bcm2835aux-restore-err-assignment-in-bcm2835aux_spi_probe.patch
new file mode 100644
index 00000000000..d16a76d5ce1
--- /dev/null
+++ b/queue-4.19/spi-bcm2835aux-restore-err-assignment-in-bcm2835aux_spi_probe.patch
@@ -0,0 +1,58 @@
+From foo@baz Fri Dec 11 03:43:06 PM CET 2020
+From: Lukas Wunner <lukas@wunner.de>
+Date: Thu, 10 Dec 2020 20:20:02 +0100
+Subject: spi: bcm2835aux: Restore err assignment in bcm2835aux_spi_probe
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.com>
+Cc: Mark Brown <broonie@kernel.org>, Sudip Mukherjee <sudipm.mukherjee@gmail.com>, Sasha Levin <sashal@kernel.org>, Nathan Chancellor <natechancellor@gmail.com>, stable@vger.kernel.org
+Message-ID: <0dc949d865558ca23bd9decf10b9c4092f7576c1.1607626808.git.lukas@wunner.de>
+
+From: Nathan Chancellor <natechancellor@gmail.com>
+
+[ Upstream commit d853b3406903a7dc5b14eb5bada3e8cd677f66a2 ]
+
+Clang warns:
+
+drivers/spi/spi-bcm2835aux.c:532:50: warning: variable 'err' is
+uninitialized when used here [-Wuninitialized]
+                dev_err(&pdev->dev, "could not get clk: %d\n", err);
+                                                               ^~~
+./include/linux/dev_printk.h:112:32: note: expanded from macro 'dev_err'
+        _dev_err(dev, dev_fmt(fmt), ##__VA_ARGS__)
+                                      ^~~~~~~~~~~
+drivers/spi/spi-bcm2835aux.c:495:9: note: initialize the variable 'err'
+to silence this warning
+        int err;
+               ^
+                = 0
+1 warning generated.
+
+Restore the assignment so that the error value can be used in the
+dev_err statement and there is no uninitialized memory being leaked.
+
+Fixes: e13ee6cc4781 ("spi: bcm2835aux: Fix use-after-free on unbind")
+Link: https://github.com/ClangBuiltLinux/linux/issues/1199
+Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
+Link: https://lore.kernel.org/r/20201113180701.455541-1-natechancellor@gmail.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+[lukas: backport to 4.19-stable, add stable designation]
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: <stable@vger.kernel.org> # v4.4+: e13ee6cc4781: spi: bcm2835aux: Fix use-after-free on unbind
+Cc: <stable@vger.kernel.org> # v4.4+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-bcm2835aux.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-bcm2835aux.c
++++ b/drivers/spi/spi-bcm2835aux.c
+@@ -444,8 +444,9 @@ static int bcm2835aux_spi_probe(struct p
+ 
+ 	bs->clk = devm_clk_get(&pdev->dev, NULL);
+ 	if ((!bs->clk) || (IS_ERR(bs->clk))) {
++		err = PTR_ERR(bs->clk);
+ 		dev_err(&pdev->dev, "could not get clk: %d\n", err);
+-		return PTR_ERR(bs->clk);
++		return err;
+ 	}
+ 
+ 	bs->irq = platform_get_irq(pdev, 0);
-- 
2.47.3