From: Johan Hovold <johan@kernel.org>
To: Mark Brown <broonie@kernel.org>
Cc: linux-spi@vger.kernel.org, linux-kernel@vger.kernel.org,
Johan Hovold <johan@kernel.org>, Felix Gu <ustc.gu@gmail.com>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Subject: [PATCH] spi: fix use-after-free on managed registration failure
Date: Wed, 25 Mar 2026 15:53:19 +0100 [thread overview]
Message-ID: <20260325145319.1132072-1-johan@kernel.org> (raw)
The SPI API is asymmetric and the controller is freed as part of
deregistration (unless it has been allocated using
devm_spi_alloc_host/target()).
A recent change converting the managed registration function to use
devm_add_action_or_reset() inadvertently introduced a (mostly
theoretical) regression where a non-devres managed controller could be
freed as part of failed registration. This in turn would lead to
use-after-free in controller driver error paths.
Fix this by taking another reference before calling
devm_add_action_or_reset() and not releasing it on errors for
non-devres allocated controllers.
An alternative would be a partial revert of the offending commit, but
it is better to handle this explicitly until the API has been fixed
(e.g. see 5e844cc37a5c ("spi: Introduce device-managed SPI controller
allocation")).
Fixes: b6376dbed8e1 ("spi: Simplify devm_spi_*_controller()")
Reported-by: Felix Gu <ustc.gu@gmail.com>
Link: https://lore.kernel.org/all/20260324145548.139952-1-ustc.gu@gmail.com/
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
drivers/spi/spi.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
index cb00619864cf..aac378e668a8 100644
--- a/drivers/spi/spi.c
+++ b/drivers/spi/spi.c
@@ -3537,8 +3537,19 @@ int devm_spi_register_controller(struct device *dev,
if (ret)
return ret;
- return devm_add_action_or_reset(dev, devm_spi_unregister_controller, ctlr);
+ /*
+ * Prevent controller from being freed by spi_unregister_controller()
+ * if devm_add_action_or_reset() fails for a non-devres allocated
+ * controller.
+ */
+ spi_controller_get(ctlr);
+
+ ret = devm_add_action_or_reset(dev, devm_spi_unregister_controller, ctlr);
+ if (ret == 0 || ctlr->devm_allocated)
+ spi_controller_put(ctlr);
+
+ return ret;
}
EXPORT_SYMBOL_GPL(devm_spi_register_controller);
--
2.52.0
next reply other threads:[~2026-03-25 14:53 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-25 14:53 Johan Hovold [this message]
2026-03-26 9:35 ` [PATCH] spi: fix use-after-free on managed registration failure Andy Shevchenko
2026-03-26 19:19 ` Andy Shevchenko
2026-03-26 19:25 ` Mark Brown
2026-03-27 7:20 ` Andy Shevchenko
2026-03-27 8:47 ` Johan Hovold
2026-03-27 8:53 ` Andy Shevchenko
2026-03-27 16:44 ` Mark Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260325145319.1132072-1-johan@kernel.org \
--to=johan@kernel.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=broonie@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-spi@vger.kernel.org \
--cc=ustc.gu@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.