[PATCH 2/2] spi: offload: fix use after free
From: David Lechner
Date: Wed Feb 12 2025 - 12:33:36 EST
Fix a use after free bug in devm_spi_offload_get() where a pointer
was dereferenced after being freed. Instead, add a new local variable
to avoid needing to use the resource pointer to access the offload
pointer.
Reported-by: kernel test robot <lkp@xxxxxxxxx>
Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Closes: https://lore.kernel.org/r/202502112344.7ggtFzyn-lkp@xxxxxxxxx/
Fixes: 5a19e1985d01 ("spi: axi-spi-engine: implement offload support")
Signed-off-by: David Lechner <dlechner@xxxxxxxxxxxx>
---
drivers/spi/spi-offload.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/spi/spi-offload.c b/drivers/spi/spi-offload.c
index df5e963d5ee29d37833559595536a460c530bc81..6bad042fe4373e8b91dae3154ef5e22744a4acd0 100644
--- a/drivers/spi/spi-offload.c
+++ b/drivers/spi/spi-offload.c
@@ -108,6 +108,7 @@ struct spi_offload *devm_spi_offload_get(struct device *dev,
const struct spi_offload_config *config)
{
struct spi_controller_and_offload *resource;
+ struct spi_offload *offload;
int ret;
if (!spi || !config)
@@ -120,18 +121,20 @@ struct spi_offload *devm_spi_offload_get(struct device *dev,
if (!resource)
return ERR_PTR(-ENOMEM);
- resource->controller = spi->controller;
- resource->offload = spi->controller->get_offload(spi, config);
- if (IS_ERR(resource->offload)) {
+ offload = spi->controller->get_offload(spi, config);
+ if (IS_ERR(offload)) {
kfree(resource);
- return resource->offload;
+ return offload;
}
+ resource->controller = spi->controller;
+ resource->offload = offload;
+
ret = devm_add_action_or_reset(dev, spi_offload_put, resource);
if (ret)
return ERR_PTR(ret);
- return resource->offload;
+ return offload;
}
EXPORT_SYMBOL_GPL(devm_spi_offload_get);
--
2.43.0