On 11/29/20 2:35 PM, Lukas Wunner wrote: >>> rpcif_spi_remove() accesses the driver's private data after calling >>> spi_unregister_controller() even though that function releases the last >>> reference on the spi_controller and thereby frees the private data. >> >> OK, your analysis seems correct (sorry for the delay admitting this :-). > > Thanks! Is it okay to take this for an Acked-by? Not yet. :-) >> Not sure why spi_unregister_controller() drops the device reference >> while spi_register_controller() itself doesn't allocate the memory... > > Yes, that's exactly what I'm trying to move away from with > devm_spi_alloc_master() (introduced in v5.10-rc5 by 5e844cc37a5c). > The API as it has been so far has made it really easy to shoot oneself > in the foot. Maybe it needs to be fixed, rather than using the managed device API? >>> Fix by switching over to the new devm_spi_alloc_master() helper which >>> keeps the private data accessible until the driver has unbound. >> >> Perhaps the order of the calls in the remove() method could be reversed? > > I'm not familiar with power management on these Renesas controllers > but rpcif_disable_rpm() calls pm_runtime_put_sync(), which I assume > may put the controller to sleep. Sigh, that's a stupid typo on my part, being fixed now to pm_runtim_disable()... > SPI transfers may still be ongoing until spi_unregister_controller() > returns. Specifically, this function unbinds and unregisters all > SPI slaves attached to the controller and the slaves' drivers may > need to perform SPI transfers to quiesce interrupts on the slaves etc. > > Thus, the correct order is to call spi_unregister_controller() first > and only then perform further teardown steps. So the order in > rpcif_spi_remove() seems correct to me. OK. :-) > The only thing that looks confusing is that rpcif_enable_rpm() calls > pm_runtime_enable(), whereas rpcif_disable_rpm() calls > pm_runtime_put_sync(). That looks incongruent. Do you need a link to the fix (it a whole patchset of minor fixes)? > Thanks, > > Lukas MBR, Sergei
Re: [PATCH for-5.10] spi: rpc-if: Fix use-after-free on unbind
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: [PATCH for-5.10] spi: rpc-if: Fix use-after-free on unbind
- From: Sergey Shtylyov <s.shtylyov@xxxxxxxxxxxx>
- Date: Mon, 30 Nov 2020 22:18:12 +0300
- Cc: Mark Brown <broonie@xxxxxxxxxx>, <linux-spi@xxxxxxxxxxxxxxx>, "Sergei Shtylyov" <sergei.shtylyov@xxxxxxxxxxxxxxxxxx>
- In-reply-to: <20201129113548.GA2587@wunner.de>
- Organization: Open Mobile Platform, LLC
- References: <73adc6ba84a4f968f2e1499a776e5c928fbdde56.1605512876.git.lukas@wunner.de> <bf610a9fc88376e2cdf661c4ad0bb275ee5f4f20.1605512876.git.lukas@wunner.de> <9534f4fb-6f5e-b538-6903-e702a7301b1d@omprussia.ru> <20201129113548.GA2587@wunner.de>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.4.0
- Follow-Ups:
- Re: [PATCH for-5.10] spi: rpc-if: Fix use-after-free on unbind
- From: Lukas Wunner
- Re: [PATCH for-5.10] spi: rpc-if: Fix use-after-free on unbind
- References:
- [PATCH for-5.10] spi: spi-geni-qcom: Fix use-after-free on unbind
- From: Lukas Wunner
- [PATCH for-5.10] spi: rpc-if: Fix use-after-free on unbind
- From: Lukas Wunner
- Re: [PATCH for-5.10] spi: rpc-if: Fix use-after-free on unbind
- From: Sergey Shtylyov
- Re: [PATCH for-5.10] spi: rpc-if: Fix use-after-free on unbind
- From: Lukas Wunner
- [PATCH for-5.10] spi: spi-geni-qcom: Fix use-after-free on unbind
- Prev by Date: Re: [PATCH] spi: fsl: fix use of spisel_boot signal on MPC8309
- Next by Date: [PATCH] spi: spi-fsl-dspi: Use max_native_cs instead of num_chipselect to set SPI_MCR
- Previous by thread: Re: [PATCH for-5.10] spi: rpc-if: Fix use-after-free on unbind
- Next by thread: Re: [PATCH for-5.10] spi: rpc-if: Fix use-after-free on unbind
- Index(es):
 |