Re: [PATCH 1/5] spi: imx: fix use-after-free on unbind

Next message: Ioana Ciornei: "[PATCH net-next v5 1/3] net: dpaa2-mac: extend APIs related to statistics"
Previous message: Manivannan Sadhasivam: "Re: [PATCH] PCI: mediatek-gen3: select PCI_PWRCTRL_GENERIC correctly"
In reply to: Johan Hovold: "Re: [PATCH 1/5] spi: imx: fix use-after-free on unbind"
Next in thread: Johan Hovold: "Re: [PATCH 1/5] spi: imx: fix use-after-free on unbind"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Marc Kleine-Budde

Date: Mon Mar 23 2026 - 07:57:53 EST

On 23.03.2026 12:20:08, Johan Hovold wrote:
> On Mon, Mar 23, 2026 at 12:00:59PM +0100, Marc Kleine-Budde wrote:
> > On 23.03.2026 11:49:44, Johan Hovold wrote:
> > > The SPI subsystem frees the controller and any subsystem allocated
> > > driver data as part of deregistration (unless the allocation is device
> > > managed).
> > >
> > > Take another reference before deregistering the controller so that the
> > > driver data is not freed until the driver is done with it.
> >
> > Would re-ordering the spi_imx_remove() function be an alternative fix?
> > I.e. call spi_unregister_controller() last?
>
> No, the controller needs to be deregistered before disabling clocks and
> releasing other resources.

I see. So the API is a bit strange to use:

Allocate with spi_alloc_host(), free with spi_controller_put() before
spi_register_controller(), the free with spi_unregister_controller()
afterwards.

But spi_unregister_controller() shuts down the SPI interface _and_ frees
the memory. Which is the culprit here.

Would using devm_spi_alloc_host() be an option here?

regards,
Marc

--
Pengutronix e.K. | Marc Kleine-Budde |
Embedded Linux | https://www.pengutronix.de |
Vertretung Nürnberg | Phone: +49-5121-206917-129 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-9 |

Attachment: signature.asc
Description: PGP signature