[PATCH 1/2] spi: atcspi200: fix use-after-free when driver unbind

Next message: Benjamin Gaignard: "Re: [RFC] media: Add AFBC pixel formats"
Previous message: Felix Gu: "[PATCH 0/2] spi: atcspi200: two cleanup"
In reply to: Felix Gu: "[PATCH 2/2] spi: atcspi200: switch to devm functions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Felix Gu

Date: Thu Apr 16 2026 - 12:30:54 EST

DMA resource is initialized after SPI controller registration. So
when driver unbind, this can trigger a use-after-free when DMA is
torn down while the controller is still alive and triggers DMA transfers.

Fixes: 34e3815ea459 ("spi: atcspi200: Add ATCSPI200 SPI controller driver")
Signed-off-by: Felix Gu <ustc.gu@xxxxxxxxx>
---
drivers/spi/spi-atcspi200.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/drivers/spi/spi-atcspi200.c b/drivers/spi/spi-atcspi200.c
index 3832d9db3cbf..c5cf1aa2d674 100644
--- a/drivers/spi/spi-atcspi200.c
+++ b/drivers/spi/spi-atcspi200.c
@@ -575,12 +575,6 @@ static int atcspi_probe(struct platform_device *pdev)
if (ret)
goto free_controller;

- ret = devm_spi_register_controller(&pdev->dev, host);
- if (ret) {
- dev_err_probe(spi->dev, ret,
- "Failed to register SPI controller\n");
- goto free_controller;
- }
spi->use_dma = false;
if (ATCSPI_DMA_SUPPORT) {
ret = atcspi_configure_dma(spi);
@@ -591,6 +585,13 @@ static int atcspi_probe(struct platform_device *pdev)
spi->use_dma = true;
}

+ ret = devm_spi_register_controller(&pdev->dev, host);
+ if (ret) {
+ dev_err_probe(spi->dev, ret,
+ "Failed to register SPI controller\n");
+ goto free_controller;
+ }
+
return 0;

free_controller:

--
2.43.0