From: Johan Hovold <johan@kernel.org>
To: Felix Gu <ustc.gu@gmail.com>
Cc: Mark Brown <broonie@kernel.org>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
linux-spi@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v1 1/1] spi: Simplify devm_spi_*_controller()
Date: Wed, 25 Mar 2026 15:59:29 +0100 [thread overview]
Message-ID: <acP4UXadtVIEF4mu@hovoldconsulting.com> (raw)
In-Reply-To: <20260324145548.139952-1-ustc.gu@gmail.com>
On Tue, Mar 24, 2026 at 10:55:48PM +0800, Felix Gu wrote:
> > /**
> > @@ -3398,22 +3395,14 @@ static void devm_spi_unregister(struct device *dev, void *res)
> > int devm_spi_register_controller(struct device *dev,
> > struct spi_controller *ctlr)
> > {
> > - struct spi_controller **ptr;
> > int ret;
> >
> > - ptr = devres_alloc(devm_spi_unregister, sizeof(*ptr), GFP_KERNEL);
> > - if (!ptr)
> > - return -ENOMEM;
> > -
> > ret = spi_register_controller(ctlr);
> > - if (!ret) {
> > - *ptr = ctlr;
> > - devres_add(dev, ptr);
> > - } else {
> > - devres_free(ptr);
> > - }
> > + if (ret)
> > + return ret;
> > +
> > + return devm_add_action_or_reset(dev, devm_spi_unregister_controller, ctlr);
> >
> > - return ret;
> > }
> > EXPORT_SYMBOL_GPL(devm_spi_register_controller);
> It seems has a potential corner case in this commit.
>
> The issue is that devm_add_action_or_reset() triggers its callback
> immediately if the internal devres allocation fails. This creates the
> following sequence:
> 1. spi_register_controller(ctlr) succeeds.
> 2. devm_add_action_or_reset() is called but fails.
> 3. The "reset" triggers devm_spi_unregister_controller(ctlr) immediately.
> 4. This calls spi_unregister_controller(ctlr).
> 5. For controllers allocated via spi_alloc_host() (where
> ctlr->devm_allocated is false), spi_unregister_controller() calls
> put_device(&ctlr->dev).
> 6. This drops the reference count to zero and frees the ctlr structure.
>
> However, the driver still holds the ctlr pointer and will typically
> attempt its own cleanup, leading to a use-after-free or double-free.
Indeed, you're right. I stumbled over this change as well recently an
flagged it as something that's likely broken, but when I had another
quick look at it I somehow convinced myself that my instinct had been
wrong.
I just sent a patch to fix this here:
https://lore.kernel.org/all/20260325145319.1132072-1-johan@kernel.org/
I think handling this explicitly is preferred over reverting as
otherwise someone will just send the same conversion again later.
Johan
next prev parent reply other threads:[~2026-03-25 14:59 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-08 17:51 [PATCH v1 1/1] spi: Simplify devm_spi_*_controller() Andy Shevchenko
2026-01-09 15:30 ` Mark Brown
2026-03-24 14:55 ` Felix Gu
2026-03-25 9:54 ` Andy Shevchenko
2026-03-25 10:22 ` Felix Gu
2026-03-25 11:36 ` Andy Shevchenko
2026-03-25 15:03 ` Johan Hovold
2026-03-26 9:29 ` Andy Shevchenko
2026-03-25 14:59 ` Johan Hovold [this message]
-- strict thread matches above, loose matches on Subject: below --
2025-11-27 19:51 Andy Shevchenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=acP4UXadtVIEF4mu@hovoldconsulting.com \
--to=johan@kernel.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=broonie@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-spi@vger.kernel.org \
--cc=ustc.gu@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox