[PATCH 4/8] spi: mpc52xx: fix use-after-free on unbind

Next message: James Clark: "Re: [PATCH v2 02/16] perf capstone: Fix arm64 jump/adrp disassembly mismatch with objdump"
Previous message: Johan Hovold: "[PATCH 8/8] spi: topcliff-pch: fix use-after-free on unbind"
In reply to: Johan Hovold: "[PATCH 8/8] spi: topcliff-pch: fix use-after-free on unbind"
Next in thread: Johan Hovold: "[PATCH 3/8] spi: mpc52xx: fix controller deregistration"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Johan Hovold

Date: Tue Apr 14 2026 - 09:51:34 EST

The state machine work is scheduled by the interrupt handler and
therefore needs to be cancelled after disabling interrupts to avoid a
potential use-after-free.

Fixes: 984836621aad ("spi: mpc52xx: Add cancel_work_sync before module remove")
Cc: stable@xxxxxxxxxxxxxxx
Cc: Pei Xiao <xiaopei01@xxxxxxxxxx>
Signed-off-by: Johan Hovold <johan@xxxxxxxxxx>
---
drivers/spi/spi-mpc52xx.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/spi/spi-mpc52xx.c b/drivers/spi/spi-mpc52xx.c
index 823b49f8ece2..c8c8e6bdf421 100644
--- a/drivers/spi/spi-mpc52xx.c
+++ b/drivers/spi/spi-mpc52xx.c
@@ -519,10 +519,11 @@ static void mpc52xx_spi_remove(struct platform_device *op)

spi_unregister_controller(host);

- cancel_work_sync(&ms->work);
free_irq(ms->irq0, ms);
free_irq(ms->irq1, ms);

+ cancel_work_sync(&ms->work);
+
for (i = 0; i < ms->gpio_cs_count; i++)
gpiod_put(ms->gpio_cs[i]);

--
2.52.0