From: Felix Gu <ustc.gu@gmail.com>
To: Mark Brown <broonie@kernel.org>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: linux-spi@vger.kernel.org, linux-kernel@vger.kernel.org,
Felix Gu <ustc.gu@gmail.com>
Subject: Re: [PATCH v1 1/1] spi: Simplify devm_spi_*_controller()
Date: Tue, 24 Mar 2026 22:55:48 +0800 [thread overview]
Message-ID: <20260324145548.139952-1-ustc.gu@gmail.com> (raw)
In-Reply-To: <176797260995.67850.318976521283878747.b4-ty@kernel.org>
> /**
> @@ -3398,22 +3395,14 @@ static void devm_spi_unregister(struct device *dev, void *res)
> int devm_spi_register_controller(struct device *dev,
> struct spi_controller *ctlr)
> {
> - struct spi_controller **ptr;
> int ret;
>
> - ptr = devres_alloc(devm_spi_unregister, sizeof(*ptr), GFP_KERNEL);
> - if (!ptr)
> - return -ENOMEM;
> -
> ret = spi_register_controller(ctlr);
> - if (!ret) {
> - *ptr = ctlr;
> - devres_add(dev, ptr);
> - } else {
> - devres_free(ptr);
> - }
> + if (ret)
> + return ret;
> +
> + return devm_add_action_or_reset(dev, devm_spi_unregister_controller, ctlr);
>
> - return ret;
> }
> EXPORT_SYMBOL_GPL(devm_spi_register_controller);
Hi Andy and Mark,
It seems has a potential corner case in this commit.
The issue is that devm_add_action_or_reset() triggers its callback
immediately if the internal devres allocation fails. This creates the
following sequence:
1. spi_register_controller(ctlr) succeeds.
2. devm_add_action_or_reset() is called but fails.
3. The "reset" triggers devm_spi_unregister_controller(ctlr) immediately.
4. This calls spi_unregister_controller(ctlr).
5. For controllers allocated via spi_alloc_host() (where
ctlr->devm_allocated is false), spi_unregister_controller() calls
put_device(&ctlr->dev).
6. This drops the reference count to zero and frees the ctlr structure.
However, the driver still holds the ctlr pointer and will typically
attempt its own cleanup, leading to a use-after-free or double-free.
What are your thoughts on this? Does this analysis seem correct, or am
I missing a detail in how the refcounting is handled here?
Best regards,
Felix
next prev parent reply other threads:[~2026-03-24 14:56 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-08 17:51 [PATCH v1 1/1] spi: Simplify devm_spi_*_controller() Andy Shevchenko
2026-01-09 15:30 ` Mark Brown
2026-03-24 14:55 ` Felix Gu [this message]
2026-03-25 9:54 ` Andy Shevchenko
2026-03-25 10:22 ` Felix Gu
2026-03-25 11:36 ` Andy Shevchenko
2026-03-25 15:03 ` Johan Hovold
2026-03-26 9:29 ` Andy Shevchenko
2026-03-25 14:59 ` Johan Hovold
-- strict thread matches above, loose matches on Subject: below --
2025-11-27 19:51 Andy Shevchenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260324145548.139952-1-ustc.gu@gmail.com \
--to=ustc.gu@gmail.com \
--cc=andriy.shevchenko@linux.intel.com \
--cc=broonie@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-spi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox