Re: [PATCH v2] spi: imx: fix use-after-free during driver removal

Kirill Yatsenko <kirill.yatsenko@xxxxxxxxxxxxxxx> · Thu, 8 Aug 2024 17:52:23 +0200

With the CONFIG_SLUB_DEBUG_ON enabled the unhandled fault error appears
when unbinding the driver.

The spi controller driver memory is freed inside the spi_imx_remove prior
to executing PM callbacks thus leading to use-after-free.

Fix it by switching to the devm version of spi_register_controller.

Unhandled fault: alignment exception (0x001) at 0x6b6b6c53
[6b6b6c53] *pgd=00000000
Internal error: : 1 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 2 PID: 1241 Comm: rebind.sh Not tainted 6.10.0-dnm3pv2-dnm3pv2-ga03695deba11 #1
Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
PC is at __pm_runtime_resume+0x58/0x6c
LR is at spi_imx_remove+0x1c/0xa8
pc : [<80632438>]    lr : [<806ebefc>]    psr: 20010013
sp : f1d81e88  ip : 83c0e204  fp : 00000000
r10: 00000000  r9 : 00000000  r8 : 82dd9454
r7 : 82dda054  r6 : 810f82f0  r5 : 00000004  r4 : 6b6b6b6b
r3 : 6b6b6c53  r2 : 85321240  r1 : 00000004  r0 : 6b6b6b6b
Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 10c5387d  Table: 1687c04a  DAC: 00000051

Register r12 information: slab kmalloc-64 start 83c0e180 data offset 64 pointer offset 68 size 64 allocated at kobject_set_name_vargs+0x2c/0xa0
    kmalloc_node_track_caller_noprof+0x14c/0x37c
    kvasprintf+0x5c/0xcc
    kobject_set_name_vargs+0x2c/0xa0
    dev_set_name+0x2c/0x58
    spi_register_controller+0xcc/0xc48
    spi_imx_probe+0x41c/0x694
    platform_probe+0x5c/0xb0
    really_probe+0xe0/0x3cc
    __driver_probe_device+0x9c/0x1e0
    driver_probe_device+0x30/0xc0
    __driver_attach+0x11c/0x1cc
    bus_for_each_dev+0x7c/0xcc
    bus_add_driver+0xe0/0x220
    driver_register+0x7c/0x114
    do_one_initcall+0x58/0x240
    kernel_init_freeable+0x198/0x1f4
 Free path:
    kobject_put+0xd0/0x29c
    spi_imx_remove+0x10/0xa8
    platform_remove+0x20/0x5c
    device_release_driver_internal+0x184/0x1f0
    unbind_store+0x54/0x90
    kernfs_fop_write_iter+0xfc/0x1e8
    vfs_write+0x25c/0x450
    ksys_write+0x70/0xf0
    ret_fast_syscall+0x0/0x54

Call trace:
 __pm_runtime_resume from spi_imx_remove+0x1c/0xa8
 spi_imx_remove from platform_remove+0x20/0x5c
 platform_remove from device_release_driver_internal+0x184/0x1f0
 device_release_driver_internal from unbind_store+0x54/0x90
 unbind_store from kernfs_fop_write_iter+0xfc/0x1e8
 kernfs_fop_write_iter from vfs_write+0x25c/0x450
 vfs_write from ksys_write+0x70/0xf0
 ksys_write from ret_fast_syscall+0x0/0x54

Fixes: 307c897db762 ("spi: spi-imx: replace struct spi_imx_data::bitbang by pointer to struct spi_controller")
Signed-off-by: Kirill Yatsenko <kirill.yatsenko@xxxxxxxxxxxxxxx>
---
Changes in v2:
            Shorter Kernel oops message
---
 drivers/spi/spi-imx.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
index 4a56a5b16e12..14834c4e839a 100644
--- a/drivers/spi/spi-imx.c
+++ b/drivers/spi/spi-imx.c
@@ -1854,7 +1854,7 @@ static int spi_imx_probe(struct platform_device *pdev)
 	spi_imx->devtype_data->intctrl(spi_imx, 0);
 
 	controller->dev.of_node = pdev->dev.of_node;
-	ret = spi_register_controller(controller);
+	ret = devm_spi_register_controller(&pdev->dev, controller);
 	if (ret) {
 		dev_err_probe(&pdev->dev, ret, "register controller failed\n");
 		goto out_register_controller;
@@ -1900,8 +1900,6 @@ static void spi_imx_remove(struct platform_device *pdev)
 	struct spi_imx_data *spi_imx = spi_controller_get_devdata(controller);
 	int ret;
 
-	spi_unregister_controller(controller);
-
 	ret = pm_runtime_get_sync(spi_imx->dev);
 	if (ret >= 0)
 		writel(0, spi_imx->base + MXC_CSPICTRL);
-- 
2.34.1









