From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 28BC93B2FE3; Mon, 23 Mar 2026 13:59:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774274392; cv=none; b=rJjiQbrRRvDr/QGTDbMVrpCoQzbpuJaRDPWJwnD/HSA0gKX74m0GQHy5E97/dHHrtnoTYduXpj+Vx49GCic6+S5t2bPGLeMFUtFZIZGQ8gZj3GHZbsW2fJ5qdTU7jyTCefxlfMundu+cWmSEANqfBucHYQV90tPpcNF9JUPyJxw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774274392; c=relaxed/simple; bh=qfaJPcTX77P50honumdvtbvC4o0DJx2hkKyHdZsXzTY=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=rIYcZ7Bl8Z0M2GqPn80CgZgMLHjRJF6d5zEEyUgIHASHCjuu5l+6pyE8g9Uxxb5M7s2zPy2bTOzFkBlsFPF5WtO0EJlvDA+6kB4og8HmHpkXDWpShBwxUKzNtthE4r8CLv+Gcnx7kih/c0m3ohXVRQPIz3JJD1MVWCRIXmaRhPs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=iUXWOahi; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="iUXWOahi" Received: by smtp.kernel.org (Postfix) with ESMTPSA id F0F6EC2BC9E; Mon, 23 Mar 2026 13:59:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1774274392; bh=qfaJPcTX77P50honumdvtbvC4o0DJx2hkKyHdZsXzTY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=iUXWOahiotCOexAWqwMx1xmtmRUXRKlFieRloAcWMX1nzbTuRJGbe9fTHnieFpDV4 hZpTKLDoeqGjAwGoEvkLxTxnBBstmpEbxHERmQHO4P3G4oo76QYuYQ7HcigI0/YwcZ C686etZd4Fd4FDus+iLGR+ZP7zS309eoZzIAy8oEhheEKRAHsMcVMsHICw0BJ6PlfI KkMEY3dn+dBapORdXhFBRwDFL0VYGWXfIkAACrVxrK6pHtRUsmQ46hCyilHxcKVkFO NMR0KH0VVBQca4e4IEhwx1h8DFPZ2r4ZaQYEdkB/GnskXEi6+BL8pZ37lC1g4BckIw khV2eKde94wYA== Received: from johan by xi.lan with local (Exim 4.98.2) (envelope-from ) id 1w4for-00000003aId-2OvU; Mon, 23 Mar 2026 14:59:49 +0100 Date: Mon, 23 Mar 2026 14:59:49 +0100 From: Johan Hovold To: Marc Kleine-Budde Cc: Mark Brown , Frank Li , Sascha Hauer , Heiko Stuebner , Laxman Dewangan , linux-spi@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: Re: [PATCH 1/5] spi: imx: fix use-after-free on unbind Message-ID: References: <20260323104948.844583-1-johan@kernel.org> <20260323104948.844583-2-johan@kernel.org> <20260323-demonic-worthy-guillemot-c2abb8-mkl@pengutronix.de> <20260323-dangerous-brown-polecat-a4988f-mkl@pengutronix.de> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="cmheixEO6Qo7xv6g" Content-Disposition: inline In-Reply-To: <20260323-dangerous-brown-polecat-a4988f-mkl@pengutronix.de> --cmheixEO6Qo7xv6g Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 23, 2026 at 12:57:42PM +0100, Marc Kleine-Budde wrote: > On 23.03.2026 12:20:08, Johan Hovold wrote: > > On Mon, Mar 23, 2026 at 12:00:59PM +0100, Marc Kleine-Budde wrote: > > > On 23.03.2026 11:49:44, Johan Hovold wrote: > > > > The SPI subsystem frees the controller and any subsystem allocated > > > > driver data as part of deregistration (unless the allocation is dev= ice > > > > managed). > > > > > > > > Take another reference before deregistering the controller so that = the > > > > driver data is not freed until the driver is done with it. > > > > > > Would re-ordering the spi_imx_remove() function be an alternative fix? > > > I.e. call spi_unregister_controller() last? > > > > No, the controller needs to be deregistered before disabling clocks and > > releasing other resources. >=20 > I see. So the API is a bit strange to use: >=20 > Allocate with spi_alloc_host(), free with spi_controller_put() before > spi_register_controller(), the free with spi_unregister_controller() > afterwards. > > But spi_unregister_controller() shuts down the SPI interface _and_ frees > the memory. Which is the culprit here. Indeed, it's a known issue with the SPI API. See for example: 68b892f1fdc4 ("spi: document odd controller reference handling") 5e844cc37a5c ("spi: Introduce device-managed SPI controller allocation") f0c35a024cce ("spi: fix misleading controller deregistration kernel-doc") > Would using devm_spi_alloc_host() be an option here? It can also be used, but that's more intrusive so I did that as a follow-on cleanup to the fix (see patch 2/5). Johan --cmheixEO6Qo7xv6g Content-Type: application/pgp-signature; name=signature.asc -----BEGIN PGP SIGNATURE----- iJEEABYKADkWIQQHbPq+cpGvN/peuzMLxc3C7H1lCAUCacFHThsUgAAAAAAEAA5t YW51MiwyLjUrMS4xMSwyLDIACgkQC8XNwux9ZQiczgEAgFAtXQwuMDPEX+tSENHm cTTnkpGjWt3fAIBRygsEH1MBAKgFuollphgJ2NGAem3qc6lwPoVExuyElb8lP2cg 2JML =AxEu -----END PGP SIGNATURE----- --cmheixEO6Qo7xv6g--