From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0DD0BC388F7 for ; Thu, 22 Oct 2020 12:13:00 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 97D99221FB for ; Thu, 22 Oct 2020 12:12:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2503915AbgJVMM7 (ORCPT ); Thu, 22 Oct 2020 08:12:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40412 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2503681AbgJVMM7 (ORCPT ); Thu, 22 Oct 2020 08:12:59 -0400 Received: from bmailout1.hostsharing.net (bmailout1.hostsharing.net [IPv6:2a01:37:1000::53df:5f64:0]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F10FEC0613CE; Thu, 22 Oct 2020 05:12:58 -0700 (PDT) Received: from h08.hostsharing.net (h08.hostsharing.net [IPv6:2a01:37:1000::53df:5f1c:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.hostsharing.net", Issuer "COMODO RSA Domain Validation Secure Server CA" (not verified)) by bmailout1.hostsharing.net (Postfix) with ESMTPS id 40AA030000E5D; Thu, 22 Oct 2020 14:12:55 +0200 (CEST) Received: by h08.hostsharing.net (Postfix, from userid 100393) id 2DCBEF5996; Thu, 22 Oct 2020 14:12:55 +0200 (CEST) Date: Thu, 22 Oct 2020 14:12:54 +0200 From: Lukas Wunner To: Florian Fainelli Cc: Mark Brown , Vladimir Oltean , "linux-kernel@vger.kernel.org" , linux-spi Subject: Re: Use after free in bcm2835_spi_remove() Message-ID: <20201022121254.GA3847@wunner.de> References: <20201014140912.GB24850@wunner.de> <20201014194035.ukduovokggu37uba@skbuf> <20201014202505.GF4580@sirena.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-spi@vger.kernel.org On Wed, Oct 14, 2020 at 02:20:16PM -0700, Florian Fainelli wrote: > In bcm2835_spi_remove(), spi_controller_unregister() will free the ctlr > reference which will lead to an use after free in bcm2835_release_dma(). > > To avoid this use after free, allocate the bcm2835_spi structure with a > different lifecycle than the spi_controller structure such that we > unregister the SPI controller, free up all the resources and finally let > device managed allocations free the bcm2835_spi structure. [...] > - if (ctlr->dma_tx) { > - dmaengine_terminate_sync(ctlr->dma_tx); > + if (dma_tx) { > + dmaengine_terminate_sync(dma_tx); > > if (bs->fill_tx_desc) > dmaengine_desc_free(bs->fill_tx_desc); > > if (bs->fill_tx_addr) > - dma_unmap_page_attrs(ctlr->dma_tx->device->dev, > + dma_unmap_page_attrs(dma_tx->device->dev, > bs->fill_tx_addr, sizeof(u32), > DMA_TO_DEVICE, > DMA_ATTR_SKIP_CPU_SYNC); > > - dma_release_channel(ctlr->dma_tx); > - ctlr->dma_tx = NULL; > + dma_release_channel(dma_tx); > } You must set ctlr->dma_tx and ctlr->dma_rx to NULL because the driver checks their value in a couple of places. E.g. bcm2835_spi_setup() checks ctlr->dma_rx. Likewise, the error paths of bcm2835_dma_init() and bcm2835_spi_probe() call bcm2835_dma_release() and the latter checks ctlr->dma_tx and ctlr->dma_rx to determine whether DMA was set up, hence needs to be torn down. > + bs = devm_kzalloc(&pdev->dev, sizeof(*bs), GFP_KERNEL); > + if (!bs) > + return -ENOMEM; > + > ctlr = spi_alloc_master(&pdev->dev, ALIGN(sizeof(*bs), > dma_get_cache_alignment())); You can set the second argument to spi_alloc_master() to 0 to conserve memory. Thanks, Lukas