Re: [PATCH 1/5] spi: imx: fix use-after-free on unbind
From: Marc Kleine-Budde
Date: Mon Mar 23 2026 - 07:01:25 EST
On 23.03.2026 11:49:44, Johan Hovold wrote:
> The SPI subsystem frees the controller and any subsystem allocated
> driver data as part of deregistration (unless the allocation is device
> managed).
>
> Take another reference before deregistering the controller so that the
> driver data is not freed until the driver is done with it.
Would re-ordering the spi_imx_remove() function be an alternative fix?
I.e. call spi_unregister_controller() last?
regards,
Marc
>
> Fixes: 307c897db762 ("spi: spi-imx: replace struct spi_imx_data::bitbang by pointer to struct spi_controller")
> Cc: stable@xxxxxxxxxxxxxxx # 5.19
> Cc: Marc Kleine-Budde <mkl@xxxxxxxxxxxxxx>
> Signed-off-by: Johan Hovold <johan@xxxxxxxxxx>
> ---
> drivers/spi/spi-imx.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
> index 64c6c09e1e7b..a8d90c86a8a1 100644
> --- a/drivers/spi/spi-imx.c
> +++ b/drivers/spi/spi-imx.c
> @@ -2401,6 +2401,8 @@ static void spi_imx_remove(struct platform_device *pdev)
> struct spi_imx_data *spi_imx = spi_controller_get_devdata(controller);
> int ret;
>
> + spi_controller_get(controller);
> +
> spi_unregister_controller(controller);
>
> ret = pm_runtime_get_sync(spi_imx->dev);
> @@ -2414,6 +2416,8 @@ static void spi_imx_remove(struct platform_device *pdev)
> pm_runtime_disable(spi_imx->dev);
>
> spi_imx_sdma_exit(spi_imx);
> +
> + spi_controller_put(controller);
> }
>
> static int spi_imx_runtime_resume(struct device *dev)
> --
> 2.52.0
>
>
--
Pengutronix e.K. | Marc Kleine-Budde |
Embedded Linux | https://www.pengutronix.de |
Vertretung Nürnberg | Phone: +49-5121-206917-129 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-9 |
Attachment:
signature.asc
Description: PGP signature