[bug report] spi: Add call to spi_slave_abort() function when spidev driver is released

Dan Carpenter <dan.carpenter@xxxxxxxxxx> · Tue, 1 Oct 2019 11:32:40 +0300

Hello Lukasz Majewski,

The patch 9f918a728cf8: "spi: Add call to spi_slave_abort() function
when spidev driver is released" from Sep 25, 2019, leads to the
following static checker warning:

    drivers/spi/spidev.c:631 spidev_release()
    error: dereferencing freed memory 'spidev'

    drivers/spi/spidev.c:631 spidev_release()
    error: we previously assumed 'spidev->spi' could be null (see line 624)

drivers/spi/spidev.c
   600  static int spidev_release(struct inode *inode, struct file *filp)
   601  {
   602          struct spidev_data      *spidev;
   603  
   604          mutex_lock(&device_list_lock);
   605          spidev = filp->private_data;
   606          filp->private_data = NULL;
   607  
   608          /* last close? */
   609          spidev->users--;
   610          if (!spidev->users) {
   611                  int             dofree;
   612  
   613                  kfree(spidev->tx_buffer);
   614                  spidev->tx_buffer = NULL;
   615  
   616                  kfree(spidev->rx_buffer);
   617                  spidev->rx_buffer = NULL;
   618  
   619                  spin_lock_irq(&spidev->spi_lock);
   620                  if (spidev->spi)
   621                          spidev->speed_hz = spidev->spi->max_speed_hz;
   622  
   623                  /* ... after we unbound from the underlying device? */
   624                  dofree = (spidev->spi == NULL);
                                  ^^^^^^^^^^^^^^^^^^^
This can be NULL

   625                  spin_unlock_irq(&spidev->spi_lock);
   626  
   627                  if (dofree)
   628                          kfree(spidev);
                                      ^^^^^^
and this is freed

   629          }
   630  #ifdef CONFIG_SPI_SLAVE
   631          spi_slave_abort(spidev->spi);
                                ^^^^^^^^^^^
So there is a potential issue here.  spi_slave_abort() dereferences
"spidev->spi" without checking for NULL.

   632  #endif
   633          mutex_unlock(&device_list_lock);
   634  
   635          return 0;
   636  }

regards,
dan carpenter