Re: [PATCH 4/4] spi: bcm-qspi: Fix use-after-free on unbind

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 11/11/20 11:07 AM, Lukas Wunner wrote:
> bcm_qspi_remove() calls spi_unregister_master() even though
> bcm_qspi_probe() calls devm_spi_register_master().  The spi_master is
> therefore unregistered and freed twice on unbind.
> 
> Moreover, since commit 0392727c261b ("spi: bcm-qspi: Handle clock probe
> deferral"), bcm_qspi_probe() leaks the spi_master allocation if the call
> to devm_clk_get_optional() fails.
> 
> Fix by switching over to the new devm_spi_alloc_master() helper which
> keeps the private data accessible until the driver has unbound and also
> avoids the spi_master leak on probe.
> 
> While at it, fix an ordering issue in bcm_qspi_remove() wherein
> spi_unregister_master() is called after uninitializing the hardware,
> disabling the clock and freeing an IRQ data structure.  The correct
> order is to call spi_unregister_master() *before* those teardown steps
> because bus accesses may still be ongoing until that function returns.
> 
> Fixes: fa236a7ef240 ("spi: bcm-qspi: Add Broadcom MSPI driver")
> Signed-off-by: Lukas Wunner <lukas@xxxxxxxxx>
> Cc: <stable@xxxxxxxxxxxxxxx> # v4.9+: 123456789abc: spi: Introduce device-managed SPI controller allocation
> Cc: <stable@xxxxxxxxxxxxxxx> # v4.9+
> Cc: Kamal Dasu <kdasu.kdev@xxxxxxxxx>

Acked-by: Florian Fainelli <f.fainelli@xxxxxxxxx>
Tested-by: Florian Fainelli <f.fainelli@xxxxxxxxx>

We did have an use-after-free before your patch, thanks!
-- 
Florian
[Index of Archives]     [Linux Kernel]     [Linux ARM (vger)]     [Linux ARM MSM]     [Linux Omap]     [Linux Arm]     [Linux Tegra]     [Fedora ARM]     [Linux for Samsung SOC]     [eCos]     [Linux Fastboot]     [Gcc Help]     [Git]     [DCCP]     [IETF Announce]     [Security]     [Linux MIPS]     [Yosemite Campsites]

  Powered by Linux